Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers


China-backed Hafnium hacking group has been linked to new malware used to maintain persistence in compromised Windows environments.

The threat actor reportedly targeted entities in the telecommunications, internet service providers, and data services industries from August 2021 to February 2022, expanding from the initial victimology patterns seen in its attacks exploiting the zero-day faults of Microsoft Exchange servers in March. 2021.

Microsoft Threat Intelligence Center (MSTIC), which dubbed the defense evasion malware “Tarrask“, characterized it as a tool that creates “hidden” scheduled tasks on the system. the researchers said.

cyber security

Hafnium, although best known for Exchange Server attacks, has since exploited unpatched zero-day vulnerabilities as initial vectors to drop web shells and other malware, including Tarrask, which creates new registry keys in two paths Tree and Tasks when creating scheduled tasks. –

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeTASK_NAME
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{GUID}

“In this scenario, the threat actor created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask to reestablish any broken connections to its command and control (C&C) infrastructure,” the researchers said.

“This resulted in the creation of the registry keys and values ​​described in the previous section, however, the threat author removed the [Security Descriptor] value in the Tree registry path.” A security descriptor (aka SD) defines the access controls for running the scheduled task.

cyber security

But clearing the SD value of the aforementioned Tree registry path causes the task to “disappear” from the Windows task scheduler or the schtasks command line utility, unless it is examined manually by browsing to the paths in the registry editor.

“Attacks […] signify how the Hafnium threat actor displays a unique understanding of the Windows subsystem and uses this expertise to obfuscate activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight,” said Researchers.

The disclosure marks the second time in as many weeks that a task-based scheduled persistence mechanism has come to light. Recently, Malwarebytes detailed a “simple but effective” method adopted by malware called Colibri that involved co-opting scheduled tasks to survive machine reboots and execute malicious payloads.


Comments are closed.