Microsoft Exposes Elusive Chinese Tarrask Malware Attacking Windows Computers

By any Bonny@
Microsoft Exposes Elusive Chinese Tarrask Malware Attacking Windows Computers
URL: https://thehackernews.com/2022/04/microsoft-exposes-evasive-chinese.html

The China-backed Hafnium hacking group has been linked to new malware used to maintain persistence in compromised Windows environments.
The malicious actor reportedly targeted entities in the telecommunications, internet service provider, and data services industries from August 2021 to February 2022, expanding from the initial victimology patterns observed during its attacks exploiting the vulnerabilities then zero days in March 2021.
Microsoft Threat Intelligence Center (MSTIC), which dubbed the defense evasion malware, characterized it as a tool that creates hidden scheduled tasks on the system.
Overuse of scheduled tasks is a very common method of persistence and defense evasion – and a seductive one at that, researchers say.
Hafnium, while best known for attacks on Exchange Server, has since exploited unpatched zero-day vulnerabilities as initial vectors to remove web shells and other malware, including Tarrask, which creates new registry keys in two paths , Tree and Tasks, when creating new scheduled tasks. – In this scenario, the threat actor created a scheduled task named WinUpdate via HackTool:Win64/Tarrask in order to reestablish any broken connections to its command and control (C&C) infrastructure, the researchers said.
This resulted in the creation of the registry keys and values described in the previous section. However, the threat actor deleted the [Security Descriptor] value in the tree's registry path.
A security descriptor (aka ) defines the access controls to execute the scheduled task.
But by clearing the SD value from the aforementioned tree registry path, it effectively leads to the hidden task from Windows Task Scheduler or command line utility, unless it is manually examined by accessing the paths in Registry Editor.
The attacks […] show how the Hafnium threat actor displays a unique understanding of the Windows subsystem and uses this expertise to hide activities on targeted endpoints in order to maintain persistence on affected systems and hide from in plain sight, the researchers said.