New Malware Targets SMS Codes
A dangerous malware campaign now targets Microsoft Phone Link users. Attackers use the tool to steal SMS codes and login data. Researchers found a new version of the CloudZ remote access tool. However, this version includes a new plugin called Pheno that targets Microsoft Phone Link connections. Microsoft Phone Link comes with Windows 10 and Windows 11 systems.
The app connects computers with mobile devices. Therefore, users can read messages and notifications from a computer. Attackers now abuse this feature to steal sensitive information. For example, they can capture one-time passwords and authentication alerts.
How the Malware Works
The Pheno plugin watches for active Phone Link sessions. After that, it accesses a local SQLite database on the computer. The database may contain text messages and temporary login codes. Therefore, attackers can steal sensitive information without hacking the mobile device itself. Researchers explained that attackers only need access to the infected computer. However, they do not need direct control of the connected phone.
The malware also performs several harmful actions. For example, it can manage files, execute commands, and record screens. In addition, the malware can load and remove plugins. It can also stop its own processes when needed. The attack tool hides its activity carefully. Therefore, it rotates several user-agent strings during communication.
This trick makes malicious traffic look like normal browser traffic. As a result, security systems may fail to detect suspicious activity quickly. The malware also uses anti-caching headers. Therefore, proxy servers and content delivery systems cannot easily store attack details.
Infection Method Remains Unclear
Researchers still do not know the original infection method. However, they observed one common attack pattern. Victims often run a fake software update file. After that, the fake update installs a Rust-based loader. The loader then deploys a second .NET loader. Therefore, the malware gains persistence through scheduled tasks.
The .NET loader also includes several anti-analysis checks. For example, it searches for monitoring tools and sandbox systems. The malware checks for tools like Wireshark and Procmon. In addition, it searches for virtual machine indicators. These checks help attackers avoid detection during security analysis. Therefore, researchers may struggle to inspect the malware safely.
Why OTP Theft Creates Serious Risks
SMS-based one-time passwords still protect many online accounts. However, attackers increasingly target these codes. When criminals steal OTP messages, they can bypass account security. As a result, victims may lose access to important accounts. Many users trust SMS authentication because it feels simple. However, SMS messages often lack strong protection.
Attackers now use computer infections instead of phone hacks. Therefore, they can capture codes from connected desktop applications. This method creates extra risks for remote workers and business users. In addition, companies may face data theft and account compromise.
How Users Can Reduce the Threat
Users should avoid relying only on SMS-based authentication. Instead, they should use stronger authentication methods. Security experts recommend phishing-resistant login systems. For example, hardware security keys provide stronger protection. Users should also avoid suspicious software updates and unknown downloads. Therefore, they can reduce the chance of malware infections.
Regular endpoint monitoring also helps detect unusual activity quickly. In addition, advanced threat detection services can identify suspicious behavior before major damage occurs. Organizations should also secure connected devices and authentication systems. Therefore, attackers face more barriers during intrusion attempts. Businesses can improve protection with managed security monitoring and endpoint defense solutions. These services help detect malware activity and block unauthorized access early.
Sleep well, we got you covered.
