Multi-factor authentication (MFA) has long been the gold standard for securing user accounts, forcing attackers to find creative workarounds. Rather than attempting to compromise mobile devices directly to intercept One-Time Passwords (OTPs), threat actors are now leveraging the trust between our PCs and smartphones.
Recent research has unveiled a highly sophisticated intrusion involving a remote access trojan (RAT) called CloudZ and a custom plugin named Pheno. Discovered by the Cisco Talos team, this attack bypasses mobile security altogether by hijacking the established PC-to-phone bridge created by the Windows Phone Link application.
Here is a deep dive into how this modular RAT operates, its evasion techniques, and how the Pheno plugin intercepts sensitive MFA data.
The Anatomy of a CloudZ Infection
The attack lifecycle begins with a deceptive initial access vector, typically disguised as a fake ScreenConnect application update. The intrusion relies on an intricate, multi-stage loading process designed to slip past endpoint defenses.
- The Rust Dropper: The initial payload is a 64-bit Rust-compiled executable disguised with legitimate-sounding filenames like
systemupdates.exe. - The .NET Loader: When executed, the dropper decrypts and implants an embedded .NET loader masquerading as a harmless text file (e.g.,
update.txt). - Persistence via LOLBins: An embedded PowerShell script establishes persistence by creating a Scheduled Task (
SystemWindowsApis) that runs under theSYSTEMaccount with the highest privileges. To execute the payload silently, the script uses the legitimate .NET Framework toolregasm.exe(a classic Living-off-the-Land or LOLBin technique). - Reflective Loading: The loader conducts rigorous environment checks. If the coast is clear, it decodes a massive hexadecimal blob via bytewise XOR decryption and reflectively loads the CloudZ RAT directly into memory.
Enter CloudZ: A Highly Modular RAT
CloudZ is a modular, heavily obfuscated .NET RAT built to exfiltrate data and establish resilient command-and-control (C2). It rotates between hardcoded User-Agent strings and uses anti-caching headers to blend its HTTP traffic with legitimate browser activity. Notably, CloudZ uses dead-drop resolvers—extracting secondary C2 configuration data hosted on Pastebin—to find its ultimate C2 server IP.
Once connected, CloudZ operates via a command dispatcher with capabilities that include:
- Executing arbitrary shell commands.
- Exfiltrating browser credential data.
- Screen recording.
- Deploying additional plugins using a tiered fallback approach (
curl,PowerShell, andbitsadmin).
Pheno Plugin: Stealing OTPs Without Touching the Phone
The most alarming aspect of this campaign is the deployment of the Pheno plugin. Rather than attempting the difficult task of infecting an Android or iOS device, the attacker targets the Microsoft Phone Link app (formerly "Your Phone").
Phone Link bridges a PC and a smartphone via Wi-Fi and Bluetooth, mirroring SMS messages, call logs, and notifications into a local SQLite database (PhoneExperiences-*.db) on the Windows machine.
The Pheno plugin continually monitors the system for active Phone Link processes like YourPhone, PhoneExperienceHost, or Link to Windows. It then looks for the keyword "proxy" in the output data, a telltale sign that the local proxy relaying traffic between the PC and the paired mobile device is active. Once a connection is confirmed, CloudZ swoops in to intercept the SQLite database.
The result? The attacker gains real-time access to SMS messages and authenticator app notifications, effectively neutralizing OTP-based two-factor authentication without ever deploying a single byte of malware to the victim's mobile phone.
Stringent Evasion Capabilities
CloudZ and its loaders are deeply paranoid, employing several layers of defense evasion:
- Sandbox & VM Evasion: Checks for minimum hardware requirements (e.g., at least two CPU cores) and searches for strings like "VIRTUAL" or "SANDBOX" in directory paths, usernames, and computer names.
- Time-Based Evasion: Calculates the actual elapsed time of a
sleepcommand to detect manipulated analysis environments. - Tool Detection: Enumerates running processes to hunt for security tools like Wireshark, Fiddler, Procmon, and Sysmon. If detected, execution halts.
- Anti-Debugging: Queries the
_ENABLE_PROFILINGenvironment variable to ensure no .NET profilers or debuggers are attached.
MITRE ATT&CK Matrix Mapping
Below is a mapping of the Tactics, Techniques, and Procedures (TTPs) identified in the CloudZ and Pheno campaigns.
| Tactic | Technique ID | Technique Name | Threat Actor Implementation |
|---|---|---|---|
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | Executes scripts to verify running processes and establish persistence. |
| Execution | T1053.005 | Scheduled Task/Job | Creates a Scheduled Task named SystemWindowsApis to execute the malware upon startup. |
| Persistence | T1053.005 | Scheduled Task/Job | Modifies the Task Scheduler to run continuously under the SYSTEM account. |
| Privilege Escalation | T1053.005 | Scheduled Task/Job | Executes the scheduled payload with /rl HIGHEST privileges. |
| Defense Evasion | T1218 | System Binary Proxy Execution | Uses the legitimate regasm.exe (LOLBin) to load and execute the malicious .NET payload. |
| Defense Evasion | T1036 | Masquerading | Disguises executables as system updates (systemupdates.exe) and malicious binaries as text files (update.txt). |
| Defense Evasion | T1027 | Obfuscated Files or Information | Uses ConfuserEx, Base64 encoding, and Hex-XOR decryption for configuration and payload hiding. |
| Defense Evasion | T1620 | Reflective Code Loading | Dynamically loads the decrypted CloudZ .NET payload directly into memory. |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | Verifies CPU cores (>=2) and checks for VM indicators ("VIRTUAL", "SANDBOX"). |
| Defense Evasion | T1497.003 | Time Based Evasion | Validates environment by measuring the exact elapsed time of a sleep command. |
| Defense Evasion | T1562.001 | Impair Defenses | Scans for active analysis tools (Wireshark, Sysmon, Procmon) to halt execution. |
| Discovery | T1057 | Process Discovery | Uses Get-CimInstance Win32_Process and Pheno to hunt for "YourPhone" and security tools. |
| Discovery | T1082 | System Information Discovery | Collects OS edition, architecture, and hardware specifics. |
| Credential Access | T1555.003 | Credentials from Web Browsers | Uses the BrowserSearch command to exfiltrate browser credentials. |
| Credential Access | T1111 | Two-Factor Authentication Interception | Steals OTPs and SMS verification codes by hijacking Microsoft Phone Link SQLite databases. |
| Collection | T1113 | Screen Capture | Uses the rec command for live screen recording. |
| Collection | T1005 | Data from Local System | Gathers local application data files, primarily PhoneExperiences-*.db. |
| Command and Control | T1102 | Web Service | Uses Pastebin as a dead-drop resolver to fetch secondary C2 configurations. |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | Communicates with C2 over HTTP utilizing rotated User-Agents and anti-caching headers. |
| Command and Control | T1105 | Ingress Tool Transfer | Downloads the Pheno plugin using a 3-method fallback (curl, PowerShell, bitsadmin). |
Final Thoughts
The CloudZ RAT and Pheno plugin serve as a powerful reminder of how threat actors adapt to modern security controls. With endpoint security continuously evolving and 2FA becoming mandatory, attackers are moving laterally—not just across networks, but across the trusted application boundaries between our devices. Securing the modern enterprise requires scrutinizing seemingly benign synchronization apps like Phone Link just as rigorously as remote desktop or cloud applications.
Credits: Original research, technical analysis, and telemetry reporting provided by Alex Karkins and Chetan Raghuprasad at Cisco Talos Intelligence. For the full technical breakdown, read their original post: CloudZ RAT potentially steals OTP messages using Pheno plugin.