Chinese hackers use the new Tarrask malware to ensure persistence on the system

Helga SmithAbril 14, 2022Katapusan nga Gi-update: Abril 16, 2022
68 1 minuto nga pagbasa

The China-linked APT group Hafnium has begun using the new Tarrask malware to ensure persistence on compromised Windows systems, according to the Microsoft Threat Intelligence Center (MSTIC).

Hafnium primarily targets organizations in the US, including infectious disease research centres, law firms, higher education institutions, defence contractors, academics, and non-governmental organizations. Attacks are carried out by exploiting vulnerabilities in web-accessible servers, and legitimate open-source frameworks like Covenant are used to control malware.

As MSTIC explained, in order to ensure persistence on the system, Tarrask creates hidden scheduled tasks and new keys for them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

The first subkey created in the Tree directory matches the name of the scheduled task. The values created in it (Id, Index and SD) contain metadata for registering the task in the system. The second subkey, created in the Tasks directory, is a mapping of the GUID to the ID value found in the Tree key. The values created in Actions, Path, Triggers, etc. contain the basic parameters needed to make the task easier.the experts said.

In the attack studied by Microsoft, the attackers created a scheduled WinUpdate task via HackTool:Win64/Tarrask to re-establish an interrupted connection to C&C servers. They removed the Security Descriptor (SD) value from the Tree registry. The SD defines the access controls for running a scheduled task.

The bottom line is to erase the SD value from the Tree directory, then the task will be hidden from the Windows Task Scheduler and the schtasks command line utility. The only way to discover this activity is to manually check the Registry Editor.

Experts noted that running the reg delete command to remove the SD value will result in anAccess Deniederror even when run from an elevated command prompt. The only way to remove the SD value is to run the command in the context of the SYSTEM user. For this reason, Tarrask malware used token stealing to obtain security permissions associated with the lsass.exe process.

Tugoti ko nga pahinumdoman ka nga kami usab ang nagsulat niana Chinese hackers cover their tracks and remove malware a few days before detection, ug usab niana Chinese authorities have arrested the authors of the Mozi botnet.

Mga tag
Helga SmithAbril 14, 2022Katapusan nga Gi-update: Abril 16, 2022
68 1 minuto nga pagbasa

Helga Smith

Kanunay kong interesado sa siyensya sa kompyuter, ilabi na ang seguridad sa datos ug ang tema, nga gitawag karon "siyensya sa datos", sukad pa sa akong pagkabatan-on. Sa wala pa mosulod sa Virus Removal team isip Editor-in-chief, Nagtrabaho ko isip eksperto sa cybersecurity sa daghang kompanya, lakip ang usa sa mga kontraktor sa Amazon. Laing kasinatian: Naa koy pagtudlo sa mga unibersidad sa Arden ug Reading.

Pagbilin ug Tubag

Kini nga site naggamit sa Akismet aron makunhuran ang spam. Hibal-i kung giunsa ang pagproseso sa data sa imong komento.

Balik sa ibabaw nga buton