Chinese hackers use the new Tarrask malware to ensure persistence on the system

The China-linked APT group Hafnium has begun using the new Tarrask malware to ensure persistence on compromised Windows systems, according to the Microsoft Threat Intelligence Center (MSTIC).

Hafnium primarily targets organizations in the US, including infectious disease research centres, law firms, higher education institutions, defence contractors, academics, and non-governmental organizations. Attacks are carried out by exploiting vulnerabilities in web-accessible servers, and legitimate open-source frameworks like Covenant are used to control malware.

As MSTIC explained, in order to ensure persistence on the system, Tarrask creates hidden scheduled tasks and new keys for them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

The first subkey created in the Tree directory matches the name of the scheduled task. The values created in it (Id, Index and SD) contain metadata for registering the task in the system. The second subkey, created in the Tasks directory, is a mapping of the GUID to the ID value found in the Tree key. The values created in Actions, Path, Triggers, 等. contain the basic parameters needed to make the task easier.the experts said.

In the attack studied by Microsoft, the attackers created a scheduled WinUpdate task via HackTool:Win64/Tarrask to re-establish an interrupted connection to C&C servers. They removed the Security Descriptor (SD) value from the Tree registry. The SD defines the access controls for running a scheduled task.

The bottom line is to erase the SD value from the Tree directory, then the task will be hidden from the Windows Task Scheduler and the schtasks command line utility. The only way to discover this activity is to manually check the Registry Editor.

Experts noted that running the reg delete command to remove the SD value will result in anAccess Deniederror even when run from an elevated command prompt. The only way to remove the SD value is to run the command in the context of the SYSTEM user. For this reason, Tarrask malware used token stealing to obtain security permissions associated with the lsass.exe process.

Let me remind you that we also wrote that Chinese hackers cover their tracks and remove malware a few days before detection, 仲有嗰個 Chinese authorities have arrested the authors of the Mozi botnet.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕