Chinese hackers use the new Tarrask malware to ensure persistence on the system

The China-linked APT group Hafnium has begun using the new Tarrask malware to ensure persistence on compromised Windows systems, according to the Microsoft Threat Intelligence Center (MSTIC).

Hafnium primarily targets organizations in the US, including infectious disease research centres, law firms, higher education institutions, defence contractors, academics, and non-governmental organizations. Attacks are carried out by exploiting vulnerabilities in web-accessible servers, and legitimate open-source frameworks like Covenant are used to control malware.

As MSTIC explained, in order to ensure persistence on the system, Tarrask creates hidden scheduled tasks and new keys for them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

The first subkey created in the Tree directory matches the name of the scheduled task. The values created in it (Id, Index and SD) contain metadata for registering the task in the system. The second subkey, created in the Tasks directory, is a mapping of the GUID to the ID value found in the Tree key. The values created in Actions, Path, Triggers, dll.. contain the basic parameters needed to make the task easier.the experts said.

In the attack studied by Microsoft, the attackers created a scheduled WinUpdate task via HackTool:Win64/Tarrask to re-establish an interrupted connection to C&C servers. They removed the Security Descriptor (SD) value from the Tree registry. The SD defines the access controls for running a scheduled task.

The bottom line is to erase the SD value from the Tree directory, then the task will be hidden from the Windows Task Scheduler and the schtasks command line utility. The only way to discover this activity is to manually check the Registry Editor.

Experts noted that running the reg delete command to remove the SD value will result in anAccess Deniederror even when run from an elevated command prompt. The only way to remove the SD value is to run the command in the context of the SYSTEM user. For this reason, Tarrask malware used token stealing to obtain security permissions associated with the lsass.exe process.

Izinkan saya mengingatkan Anda bahwa kami juga menulis itu Chinese hackers cover their tracks and remove malware a few days before detection, and also that Chinese authorities have arrested the authors of the Mozi botnet.

Helga Smith

Saya selalu tertarik pada ilmu komputer, terutama keamanan data dan tema, yang disebut saat ini "ilmu data", sejak remaja awal saya. Sebelum masuk ke tim Penghapusan Virus sebagai Pemimpin Redaksi, Saya bekerja sebagai pakar keamanan siber di beberapa perusahaan, termasuk salah satu kontraktor Amazon. Pengalaman lain: Yang saya dapatkan adalah mengajar di universitas Arden dan Reading.

Tinggalkan Balasan

Situs ini menggunakan Akismet untuk mengurangi spam. Pelajari bagaimana data komentar Anda diproses.

Tombol kembali ke atas