Microsoft sounds the alarm over new cunning Windows malware

Chinese state-sponsored actor hafnium was discovered using brand new malware to maintain access to a hacked Windows endpoint using hidden scheduled tasks, Microsoft has announced .

Microsoft’s Detection and Response Team (DART) claims that the group exploited a previously unknown vulnerability (zero day) in its attacks.

“Investigation reveals forensic artifacts of use of Impacket tools for lateral movement and execution and discovery of defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove task attributes, to conceal scheduled tasks from traditional means of identification,” DART explained.

Identify malware

Tarrask hides its activity from “schtasks /query” and task scheduler, removing any security descriptor registry values.

Chinese criminals used these hidden tasks to re-establish the connection to C2 after the device restarted.

One of the ways to find hidden tasks is to manually inspect the Windows registry for scheduled tasks without a security descriptor value in their task key, it was explained in more detail.

Another way to spot malware is to enable the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs and search for key events, related to any “hidden” tasks using Tarrask.

The Redmond giant also recommended enabling logging for “TaskOperational” in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping tabs on outbound connections from Tier 0 and Tier 1 critical assets.

“Threat actors in this campaign used hidden scheduled tasks to maintain access to critical Internet-exposed assets by regularly re-establishing outbound communications with the C&C infrastructure,” DART explains.

“We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while gaining persistence, leading us to raise awareness of this often overlooked technique.”

See also  Apple security issues apparently skyrocketed in 2021

In the same announcement, Microsoft also added that Hafnium is targeting the Zoho Manage Engine Rest API Authentication Bypass Vulnerability, to place a Godzilla web shell with similar properties, which Unit42 also previously discovered.

Since August 2021, Microsoft adds, Hafnium has been targeting organizations in the telecommunications, internet service provider and data services industries, concluding that the group has broadened its focus.

Via: BleepingComputer

Leave a Comment