The infamous hacking group Hafnium, which wreaks havoc on Microsoft Exchange servers, is back. But this time, Microsoft is well aware of the activities of the state-sponsored group of threat actors. The company knows that the group uses ‘Tarrasque’ malware to systematically target and weaken the defenses of the Windows operating system.
The Hafnium group uses Tarrask, a “defense evasion malware”, to evade Windows defenses and ensure that compromised environments remain vulnerable, Microsoft’s Detection and Response Team (DART) explained in a blog post:
As Microsoft continues to track HAFNIUM, the state-sponsored high-priority threat actor, new activity has been discovered that exploits unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of using Impacket tooling for lateral movement and execution and discovery of defense evasion malware called Tarrask that creates “hidden” scheduled tasks “, and subsequent actions to remove task attributes, to hide scheduled tasks from the traditional means of identification.
Microsoft is actively monitoring Hafnium’s activities and knows that the group is using new exploits in the Windows subsystem. The group apparently exploits a previously unknown Windows bug to hide malware from “schtasks/query” and the task scheduler.
The malware successfully evades detection by deleting the registry value associated with the security descriptor. Simply put, an unpatched Windows Task Scheduler bug helps malware clean up its tracks and ensure that its on-disk artifacts (leftovers from activities) aren’t there to reveal what’s going on.
Technical jargon aside, the group appears to use “hidden” scheduled tasks to retain access to compromised devices even after multiple reboots. As with any malware, even Tarrask restores broken connections to the command and control (C2) infrastructure.
Microsoft’s DART has not only issued a warning but also recommended to enable logging for ‘TaskOperational’ in Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This should help admins find suspicious outbound connections from reviews Level 0 and Level 1 assets.
Comments are closed.