Highlights:
- The disclosure marks the second time that a scheduled task-based persistence mechanism has emerged in as many weeks.
- These hackers target sectors including telecommunications, internet service providers, and data services.
Hafnium, a hacking group backed by the Chinese, is associated with a piece of a new malware that is utilized to maintain persistence on compromised Windows environments.
Entities in the telecommunication, internet service provider, and data service sectors are the prime target of the threat actor. Launching its attack from August 2021 to February 2022, it expanded first from the victimology patterns observed during its attacks and exploited the zero-day flaws in Microsoft Exchange Servers in March 2021.
Microsoft Threat Intelligence Center (MSTIC) named the defense evasion malware “Tarrask,” a tool that creates “hidden” scheduled tasks on the system. The researchers said, “Scheduled task abuse is a very common method of persistence and defense evasion — and an enticing one, at that.”
Hafnium, which is famous for Exchange Server attacks, has benefited from unpatched zero-day vulnerabilities as initial vectors to drop web shells and other malware, including Tarrask, which generates new registry keys within two paths, Tree and Tasks, upon the creation of the scheduled tasks –
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}
The researchers said, “In this scenario, the threat actor created a scheduled task named ‘WinUpdate’ via HackTool: Win64/Tarrask to re-establish any dropped connections to their command-and-control (C and amp;C) infrastructure.”
“This resulted in the creation of the registry keys and values described in the earlier section; however, the threat actor deleted the [Security Descriptor] value within the Tree registry path.” A security descriptor (aka SD) defines access controls for performing the scheduled task.
However, deleting the SD value from the above-mentioned Tree registry path effectively results in the task “disappearing” from the Windows Task Scheduler or the schtasks command-line utility unless manually evaluated by navigating to the paths in the Registry Editor.
The disclosure marks the second time that a scheduled task-based persistence mechanism has emerged in as many weeks. Recently, Malwarebytes detailed a “simple but efficient” approach implemented by a malware called Colibiri that necessitated co-opting scheduled tasks to sustain machine reboots and run malicious payloads.
Experts’ view:
“The attacks […] signify how the threat actor Hafnium displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight,” the researchers said.