A piece of new malware intended to sustain persistence on infected Windows systems has been attributed to the Chinese-backed Hafnium hacker gang. The threat actor is thought to have aimed at businesses in the telecommunications, internet service provider, and data services sectors from August 2021 to February 2022, extending victimology patterns seen during its attacks leveraging a then zero-day flaw in Microsoft Exchange Servers in March 2021.
The defensive evasion malware, called “Tarrask” by Microsoft Threat Intelligence Center (MSTIC), is described as a tool that produces “hidden” scheduled activities on the system. According to the researchers, “scheduled task abuse is a relatively typical form of persistence and defensive evasion – and an intriguing one at that.
While Hafnium is most known for its Exchange Server exploits, it has since used unpatched zero-day flaws as initial vectors to spread web shells and other malware, including Tarrask, which adds new registry keys in the Tree and Tasks paths when new scheduled tasks are created –
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
“In this scenario, the threat actor created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask in order to re-establish any dropped connections to their command-and-control (C&C) infrastructure,” as stated by the researchers. “This resulted in the creation of the registry keys and values described in the earlier section, however, the threat actor deleted the [Security Descriptor] value within the Tree registry path.” A security descriptor (aka SD) establishes access controls to run the scheduled task.
However, removing the SD value from the aforementioned Tree registry path effectively hides the job from the Windows Task Scheduler and the schtasks command-line application until explicitly reviewed using the Registry Editor.
