Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence.
Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers.
It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year.
The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification."
Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw.
By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts.
The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key.
Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs.
Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets.
DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."
