


























Follow ZDNET: Add us as a preferred source on Google.
Cisco Talos researchers have revealed the exploits of a Remote Access Trojan (RAT) that can steal your credentials the moment you launch the Microsoft Phone Link app to connect your phone to your PC.
Also: Windows changes are coming: Here's how to get a sneak peek at what's next
Microsoft Phone Link is an app you may not be aware of, but it comes preinstalled on Windows 10 and 11. Formerly branded as Your Phone, this application allows users to connect their phone to their Windows PC via Bluetooth and Wi-Fi.
The app supports Android and iOS and can be used to answer calls, reply to text messages from your computer, and receive notifications. On Android, you can also view and share your camera reel.
CloudZ is a modular Remote Access Trojan (RAT), compiled as a .NET executable and equipped with a range of defenses against analysis and reverse engineering, including obfuscation and the detection of debuggers and profilers in its environment.
The malware loads its instructions into memory during execution, establishes a connection to a command-and-control (C2) server, and executes PowerShell scripts to extract, download, and exfiltrate data to the attacker-controlled C2 server.
While the researchers did not document any specific methods of initial intrusion, if CloudZ has infected a Windows PC, it can spy on these systems using the newly-discovered "Pheno" plugin. Pheno is a malicious module in CloudZ designed to continuously monitor and scan for active Phone Link processes.
Once CloudZ is alerted to an active connection through Pheno's surveillance capabilities, the Trojan attempts to hijack and intercept the Phone Link application's SQLite database file. If successful, CloudZ can steal sensitive information as it passes from the smartphone to the PC, including credentials, SMS messages, and potentially one-time passcodes (OTPs).
This Trojan abuses legitimate Windows functions rather than exploiting an application vulnerability, a common practice among many surveillance- and data-theft-focused malware strains.
This research is a reminder that malware doesn't need to infect your Android or iOS smartphone to compromise the information on your handset. Any form of connection -- whether it is Wi-Fi, Bluetooth, or a link forged between your home PC and other devices -- comes with risk, especially at a time when cybercriminals are constantly developing new methods to steal our information, spy on us, or damage our systems.
Cisco Talos' latest research highlights how cross-device syncing attacks can occur to bypass modern security controls, such as two-factor authentication (2FA) and OTP delivery. Just because you own both devices doesn't mean they are both safe or trustworthy.
There are steps in this attack chain that we can follow, and at each stage, there are security practices and methods we can use to reduce our risk of becoming a victim of CloudZ and similar Trojans.
While Cisco Talos researchers aren't sure of the initial attack vector, when the malware landed on a Windows PC, it executed as a fake ScreenConnect application update, which then deployed the RAT.
This gives us several pointers to staying protected:
You should also be aware of the risks posed by PC-to-phone bridges. They are useful features, absolutely, but we need to keep each 'zone' clean and free from infection.
Also: I tried this free Windows cleanup tool to see if it'd speed up my PC - and it worked
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。