Microsoft has spotted malware that maintains persistence on compromised Windows systems by creating and hiding behind scheduled tasks. The malware, named Tarrask, is used by the China-supported Hafnium hacking group.
What has happened?
Microsoft Detection and Response Team (DART) uncovered a recent malicious activity related to the Hafnium hacking group.
- The group abuses an unpatched zero-day vulnerability for their initial attack vectors.
- It is using Impacket for lateral movement and execution and a defense evasion malware called Tarrask.
- The malware creates hidden scheduled tasks and following actions to remove the task attributes to hide scheduled tasks from traditional identification software.
Hafnium is known to target U.S. defense companies, researchers, and think tanks. Further, the group was linked with global-scale exploitation of the ProxyLogon zero-day flaws.
About Tarrask
The hacking tool Tarrask uses a previously unknown Windows flaw to conceal the scheduled task attributes from schtasks/query and Task Scheduler by removing the associated Security Descriptor registry value.
- Hafnium used these hidden scheduled tasks for maintaining access to compromised devices even after restarting.
- It is expected that attackers may have removed all on-disk artifacts (such as registry keys and the XML file added in the system folder to delete all traces) and persistence across restarts.
Ending notes
The Tarrask tool is allowing attackers to hide scheduled tasks to maintain access to critical assets. Thus, experts suggest finding these hidden tasks by closer manual inspection of the Windows Registry and looking for scheduled tasks without an SD Value within their Task Key.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_246885445.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_530089012.jpg)
