Multi-stage infection chain: The intrusion begins with an unknown initial access vector, followed by the execution of a malicious file disguised as a ScreenConnect update, Talos said.The initial payload is a Rust-compiled loader using filenames such as “systemupdates.exe,” which drops a .NET loader disguised as a text file in a system directory, the post said.Persistence is established through a scheduled task named “SystemWindowsApis” that runs at startup with elevated privileges using the legitimate regasm.exe utility, the researchers wrote in the blog.The .NET loader runs anti-analysis checks before unpacking CloudZ. It performs multiple checks to detect security tools and sandbox environments before executing the payload in memory, the report said.It “calculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment,” and scans for tools such as Wireshark, Fiddler, Procmon, and Sysmon. “The .NET loader exits the execution if these are detected in the victim environment,” the blog post added.The CloudZ payload is then decrypted in memory and executed, it said.
RAT enables credential theft and plugin delivery: CloudZ establishes an encrypted connection to a command-and-control server and supports a range of functions, including credential harvesting, file operations, and remote command execution, Talos said.The malware also retrieves secondary configuration data from attacker-controlled infrastructure.The Talos researchers wrote that the RAT downloads configuration data from remote servers and “extracts the C2 server IP address “¦ and port number “¦ establishing connections through TCP sockets.”It also rotates user-agent strings to blend its traffic with legitimate browser activity, the researchers noted.
Pheno plugin monitors active device sync: The Pheno plugin is responsible for identifying active Phone Link sessions and enabling data interception.It “scans all running processes for specific keywords such as ‘YourPhone,’ ‘PhoneExperienceHost,’ or ‘Link to Windows,’” and logs results locally, the report said.The plugin then checks for evidence of a proxy connection used by Phone Link to relay data between devices.”The presence of ‘proxy’ “¦ indicates that the Phone Link session is actively routing traffic through its relay channel,” the researchers wrote.When such activity is detected, the plugin flags the system as connected, which “eventually allows the attacker “¦ to potentially monitor SMS or OTP requests that appear on the Phone Link application,” according to the report.Talos has released detection signatures and indicators of compromise, including malware hashes, command-and-control infrastructure, and Snort rules associated with the activity.Cisco Talos did not attribute the activity to a known threat actor.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4167092/stealthy-malware-abuses-microsoft-phone-link-to-siphon-sms-otps-from-enterprise-pcs.html
