Chinese hackers use the new Tarrask malware to ensure persistence on the system

The China-linked APT group Hafnium has begun using the new Tarrask malware to ensure persistence on compromised Windows systems, according to the Microsoft Threat Intelligence Center (MSTIC).

Hafnium primarily targets organizations in the US, including infectious disease research centres, law firms, higher education institutions, defence contractors, academics, and non-governmental organizations. Attacks are carried out by exploiting vulnerabilities in web-accessible servers, and legitimate open-source frameworks like Covenant are used to control malware.

As MSTIC explained, in order to ensure persistence on the system, Tarrask creates hidden scheduled tasks and new keys for them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

The first subkey created in the Tree directory matches the name of the scheduled task. The values created in it (Id, Index and SD) contain metadata for registering the task in the system. The second subkey, created in the Tasks directory, is a mapping of the GUID to the ID value found in the Tree key. The values created in Actions, Path, Triggers, etc. contain the basic parameters needed to make the task easier.the experts said.

In the attack studied by Microsoft, the attackers created a scheduled WinUpdate task via HackTool:Win64/Tarrask to re-establish an interrupted connection to C&C servers. They removed the Security Descriptor (SD) value from the Tree registry. The SD defines the access controls for running a scheduled task.

The bottom line is to erase the SD value from the Tree directory, then the task will be hidden from the Windows Task Scheduler and the schtasks command line utility. The only way to discover this activity is to manually check the Registry Editor.

Experts noted that running the reg delete command to remove the SD value will result in an “Access Denied” error even when run from an elevated command prompt. The only way to remove the SD value is to run the command in the context of the SYSTEM user. For this reason, Tarrask malware used token stealing to obtain security permissions associated with the lsass.exe process.

Let me remind you that we also wrote that Chinese hackers cover their tracks and remove malware a few days before detection, and also that Chinese authorities have arrested the authors of the Mozi botnet.

Helga Smith

I was always interested in computer sciences, especially data security and the theme, which is called nowadays "data science", since my early teens. Before coming into the Virus Removal team as Editor-in-chief, I worked as a cybersecurity expert in several companies, including one of Amazon's contractors. Another experience: I have got is teaching in Arden and Reading universities.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button