Chinese hackers use the new Tarrask malware to ensure persistence on the system

Helga SmithApril 14, 2022Laas opgedateer: April 16, 2022
68 1 minuut gelees

The China-linked APT group Hafnium has begun using the new Tarrask malware to ensure persistence on compromised Windows systems, according to the Microsoft Threat Intelligence Center (MSTIC).

Hafnium primarily targets organizations in the US, including infectious disease research centres, law firms, higher education institutions, defence contractors, academics, and non-governmental organizations. Attacks are carried out by exploiting vulnerabilities in web-accessible servers, and legitimate open-source frameworks like Covenant are used to control malware.

As MSTIC explained, in order to ensure persistence on the system, Tarrask creates hidden scheduled tasks and new keys for them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

The first subkey created in the Tree directory matches the name of the scheduled task. The values created in it (Id, Index and SD) contain metadata for registering the task in the system. The second subkey, created in the Tasks directory, is a mapping of the GUID to the ID value found in the Tree key. The values created in Actions, Path, Triggers, ens. contain the basic parameters needed to make the task easier.the experts said.

In the attack studied by Microsoft, the attackers created a scheduled WinUpdate task via HackTool:Win64/Tarrask to re-establish an interrupted connection to C&C servers. They removed the Security Descriptor (SD) value from the Tree registry. The SD defines the access controls for running a scheduled task.

The bottom line is to erase the SD value from the Tree directory, then the task will be hidden from the Windows Task Scheduler and the schtasks command line utility. The only way to discover this activity is to manually check the Registry Editor.

Experts noted that running the reg delete command to remove the SD value will result in anAccess Deniederror even when run from an elevated command prompt. The only way to remove the SD value is to run the command in the context of the SYSTEM user. For this reason, Tarrask malware used token stealing to obtain security permissions associated with the lsass.exe process.

Let me remind you that we also wrote that Chinese hackers cover their tracks and remove malware a few days before detection, and also that Chinese authorities have arrested the authors of the Mozi botnet.

Merkers
Helga SmithApril 14, 2022Laas opgedateer: April 16, 2022
68 1 minuut gelees

Helga Smith

Ek het altyd in rekenaarwetenskap belanggestel, veral datasekuriteit en die tema, wat deesdae genoem word "data wetenskap", sedert my vroeë tienerjare. Voordat u as hoofredakteur in die virusverwyderingspan kom, Ek het as 'n kuberveiligheidskenner in verskeie maatskappye gewerk, insluitend een van Amazon se kontrakteurs. Nog 'n ervaring: Ek het onderrig in Arden en Reading universiteite.

Los 'n antwoord

Hierdie webwerf gebruik Akismet om strooipos te verminder. Leer hoe jou opmerkingdata verwerk word.

Terug na bo-knoppie