Jump to content
  • Microsoft Windows under attack from Hafnium group's 'Tarrask' malware

    Karlston

    • 535 views
    • 2 minutes
     Share


    • 535 views
    • 2 minutes

    The infamous Hafnium hacking group, which wreaked havoc on Microsoft Exchange servers, is back. But this time, Microsoft is well aware of the state-sponsored threat actor group’s activities. The company knows the group is utilizing 'Tarrask' malware to target and consistently weaken defenses of the Windows operating system.

     

    The Hafnium group is utilizing Tarrask, a "defense evasion malware", to evade Windows defenses and ensure compromised environments remain vulnerable, explained the Microsoft Detection and Response Team (DART) in a blog post:

     

    As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages un-patched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.

     

    Microsoft is actively tracking Hafnium's activities and is aware the group is using novel exploits within the Windows subsystem. The group is apparently exploiting a previously unknown Windows bug to hide the malware from "schtasks /query" and Task Scheduler.

     

    The malware successfully evades detection by deleting the associated Security Descriptor registry value. Simply put, an as-yet-unpatched Windows Task Scheduler bug is helping the malware clean up its trails, and make sure that its on-disk artifacts (remnants of activities) aren’t around to reveal what's going on.

     

    Technical jargon aside, the group seems to be using "hidden" scheduled tasks to retain access to compromised devices even after multiple reboots. As with any malware, even Tarrask re-establishes dropped connections to Command-and-Control (C2) infrastructure.

     

    Microsoft’s DART has not only issued a warning but has also recommended enabling logging for 'TaskOperational' within the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This should help admins lookout for suspicious outbound connections from critical Tier 0 and Tier 1 assets.

     

     

    Microsoft Windows under attack from Hafnium group's 'Tarrask' malware


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...