Chinese Tarrask Malware Targeting Windows Computers


 New malware used to maintain persistence in infected Windows environments has been linked to the Chinese-backed Hafnium hacking group.


According to reports from August 2021 to February 2022, the threat actor expanded its victimology patterns to include telecommunication, internet service provider and data services companies from the first attacks in March 2021 that exploited Microsoft Exchange Servers' then-zero-day flaws.


Defending against the defense evasion malware known as "Tarrask" is as simple as installing a tool that creates "hidden" scheduled tasks on the system. scheduled task abuse is one of the most common — and most alluring — strategies employed by people who are trying to avoid detection or prosecution.


As well as exploiting unpatched zero-day vulnerabilities to drop web shells and other malware, such as Tarrask, Hafnium has also used these vulnerabilities to drop other malicious software, including Tarrask.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}


It was found that in this case, the attacker used HackTool:Win64/Tarrask to set up a scheduled task named "WinUpdate" with the goal of restoring lost connections to their command and control infrastructure.


Chinese Tarrask Malware Targeting Windows Computers


To prevent the [Security Descriptor] value from being restored, the threat actor deleted it from within the Tree registry path, which resulted in the previously described registry keys and values being created. In order to run a scheduled task, a security descriptor (also known as an SD) must be defined.


This means that any task that is scheduled in Windows Task Scheduler or a command-line utility such as schtasks is effectively hidden from view until it is manually examined in Registry Editor paths.


In order to maintain persistence on affected systems and remain undetected, the threat actor Hafnium uses this expertise to mask activities on targeted endpoints, according to the researchers.

0 Comments

Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post