CloudZ RAT Exploits Windows Phone Link to Steal Credentials and OTPs
- [01] Threat actors use CloudZ RAT to weaponize Windows Phone Link, allowing the theft of sensitive credentials and intercepted one-time passwords from mobile devices.
- [02] The attack targets Windows workstations with the Phone Link application enabled and paired with Android or iOS mobile devices for synchronization.
- [03] Security teams must disable the Phone Link feature via administrative policies and monitor for the deployment of the previously undocumented Pheno plugin.
Overview of the CloudZ RAT Intrusion Campaign
Security researchers have identified a sophisticated intrusion set involving the CloudZ remote access tool (RAT) and a previously undocumented plugin known as Pheno. This campaign specifically targets corporate environments to facilitate credential theft and bypass multi-factor authentication (MFA). According to The Hacker News, the attackers use these tools to leverage the native Windows Phone Link application, turning a productivity feature into a conduit for sensitive data exfiltration.
The primary objective of the APT group behind this activity appears to be the systematic collection of user credentials and the interception of one-time passwords (OTPs). By exploiting the synchronization between a compromised Windows host and a mobile device, the threat actors can effectively nullify the security benefits of SMS-based or notification-based MFA.
Windows Phone Link Exploitation Techniques and OTP Interception
The core of this threat lies in the abuse of legitimate operating system features. Windows Phone Link allows users to sync their SMS messages, call logs, and app notifications directly to their desktop. When a system is infected with CloudZ RAT, the attackers deploy the Pheno plugin to interact with the Phone Link database and interface.
To understand how to detect CloudZ RAT in an environment, SOC analysts must look for unauthorized access to the YourPhone.exe process and its associated data stores. The Pheno plugin acts as a specialized module designed to scrape incoming notifications in real-time. When a victim receives an OTP for a banking session or a corporate login, the plugin captures the text and exfiltrates it to a C2 server.
This method of Lateral Movement or persistence is particularly dangerous because it does not rely on a specific CVE. Instead, it exploits the trust relationship between the workstation and the mobile device. If the initial access was gained through Phishing, the attackers can use the stolen credentials and the intercepted OTP to gain further access to the organization’s cloud resources or VPN.
Technical Analysis of the Pheno Plugin
The Pheno plugin is a lightweight DLL that is side-loaded or injected into legitimate processes. Its primary TTP involves monitoring the SQLite databases used by Windows Phone Link to store message history. Because Phone Link remains active in the background, the plugin can continuously monitor for new entries without requiring the user to have the application window open.
When researching Windows Phone Link security best practices, it becomes clear that the synchronization of sensitive communications creates a significant attack surface. The attackers leverage this by automating the extraction of data, ensuring that they can act on an OTP within seconds of it being issued, which is critical for bypassing modern authentication systems that employ short-lived tokens.
Detection and Mitigate Windows Phone Link Abuse
Defenders must adopt a multi-layered approach to identify and neutralize this threat. Because the malware utilizes legitimate features, signature-based detection may be insufficient.
- Endpoint Monitoring: Configure EDR tools to alert on unusual process injection into
YourPhone.exeorPhoneExperienceHost.exe. Monitor for the creation of unauthorized IoC markers associated with the CloudZ RAT. - Registry and Policy Auditing: Check for modifications to the registry keys that control Phone Link synchronization settings. Organizations should ideally disable this feature entirely for high-risk users using Group Policy Objects (GPO).
- Network Analysis: Look for outbound connections to unknown or suspicious IP addresses that correlate with activity in the Phone Link application processes.
Implementing a Zero Trust architecture can also help limit the impact of credential theft. By requiring hardware-based security keys instead of SMS-based MFA, the effectiveness of the CloudZ RAT and its Pheno plugin is significantly reduced. This shift in strategy ensures that even if an attacker successfully intercepts a notification, they lack the physical token required to complete the authentication process.
Advertisement