Microsoft’s security response team has recently detected a Hafnium malware that establishes persistence on infected Windows systems by emerging and hiding inside the Task Scheduler tool. The researchers named the malware Tarrask, utilised by the Chinese-sponsored threat group known as Hafnium.
According to the findings, the malicious activity was attributed to the Hafnium operators, a state-backed hacking group that exploits an unrepaired zero-day flaw for their initial attack transmitter.
The threat actors also use an Impacket, a collection of Python classes, for their lateral movement across the network. The Tarrask malware is utilised for malicious execution and security bypass tactics.
The malware will then develop obscured scheduled tasks and following actions to delete the task attributes and hide the fake scheduled tasks from standard identification software.
Some analysts said that the Hafnium group is notorious for targeting United States-based entities such as security researchers, defence companies, think tanks, and industrial firms. Moreover, the hacking group was linked by other researchers to the wide-scale exploitation of the ProxyLogon zero-day vulnerability.
Hafnium’s malware hacking tool, Tarrask, utilises a previously unspecified Windows vulnerability to hide the scheduled task attributes from the query, “schtasks”, and Task Scheduler by separating the affiliated Security Descriptor registry value.
The threat group will then utilise these scheduled tasks to maintain access to the infected devices even though the victim will restart its machine.
Several researchers expect that the malicious threat actors may have deleted all on-disk artefacts such as XML files added in the system folder and registry keys to remove all traces of the malware. The additional purpose of this method is to allow the threat actor to achieve persistence inside the system while evading analysis from cyber security researchers.
The Tarrask malware enables its threat actors to hide scheduled tasks to maintain access to crucial information. Experts recommend users find these hidden tasks by doing an in-depth manual inspection of the Windows Registry and searching for scheduled tasks without an SD Value inside their Task Key.
