The CloudZ malware makes use of the Microsoft Phone Link.

The CloudZ malware took advantage of the Microsoft Phone Link, sucking SMS from the company computer.

Short Message Service (SMS) smuggling by malware does not happen on the phone alone, because now using a tool to connect a mobile phone to a computer, hackers can easily steal data through a computer, as in this case.

According to a report by the website, CSO Online has mentioned remote-controlled malware detection, or the RAT (Remote Access Trojan) called CloudZ, and a Pheno plug-in that has the ability to collaborate to steal mobile phone data through tools to connect mobile phones, both iOS and Android, to computers like Microsoft Phone Link. This tool is often used on a large enterprise (Enterprise) level, as it allows employees to see notifications, messages and incoming calls to phones connected to a computer through this application. And the key to This software is that all data received through this software is recorded on a local computer, and this is a weakness that malware and plugins use to steal data from mobile phones.

In order to access the victim's system, the research team from Cisco Talos, which detected the malware, said that the carrier is not clear what the hacker uses as a carrier or how to access the victim, but it is clear that the first file that the hacker tricked into running (Execution) is a file that claims to be an update of a Remote Desktop tool called ScreenConnect. The file is a loader file written in Rust and called "systemupdating.exe," which, after running, will be loosened from the Loader malware file written on the basis of. NET descends again disguised as a Text file in the System folder of the Windows body. This .NET Loader will use the Anti-Analysis tool to detect the system before unlocking the real CloudZ malware. The CloudZ malware is decrypted and runs on the In-Memory Execution, making it difficult to detect by the detector.

At the same time, the first Loader malware will create Persistence on the malware with a Task Scheduling under the name "SystemWindowsApis." It will be timed to run every time it is launched and upgraded to Privilege with the use of the Windows tool called regasm.exe.

After the CloudZ malware has successfully embedded itself into the system, the malware will immediately contact the C2 or Command and Control server via the Encryption channel to retrieve the necessary functions - Credential Harvesting, File Operation, and Remote Command Execution. In addition, the second set of Configuration has been downloaded from the C2 server.

One of the key tools in this campaign is a malware plugin called Pheno, which can scan whether a Phone Link is in use on the victim's computer by scanning for a process called "YourPhone," "PhoneExperienceHost," or "Link to Windows," and log the operation of the software recorded on the device. If it is detected, the plugin will flags that the phone Link is in use and send the data back to the hackers to use the CloudZ malware to steal the data of the mobile phone sent on the phone. Link is saved as an SQLite database file. The stolen data spans SMS messages, one-time passwords, and OTP, and authentication information on the authentication application used by the victim's mobile phone.

# microsoft # Trending # lemon 8 diary # cloudz # freedomhack