Chinese state-sponsored actor hafnium was discovered using new malware to maintain access to a hacked Windows endpoint using hidden scheduled tasks, Microsoft announced.
The Microsoft Detection and Response Team (DART) claims that the group exploited a previously unknown vulnerability (zero-day) in their attacks.
“Investigation reveals forensic artifacts from the use of Impacket tools for lateral movement and execution and the discovery of defense evasion malware called Tarrask that creates “hidden” scheduled tasks and subsequent actions to remove task attributes, to hide tasks programmed from traditional means of identification. DART explained.
identify malware
Tarrask hides its activity from "schtasks/query" and from the task scheduler, removing any security descriptor registry values.
Chinese criminals used these hidden tasks to restore connection with C2 after rebooting the device.
One of the ways to find hidden tasks is to manually inspect the Windows registry for scheduled tasks without a security descriptor value in their task key, explained in more detail.
Another way to detect malware is to enable the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs and look for key events, related to any "hidden" tasks using Tarrask.
The Redmond giant also recommended enabling "TaskOperational" logging in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler registry and monitoring outbound connections from Tier 0 and Tier 1 critical assets.
“Threat actors in this campaign used hidden scheduled tasks to maintain access to critical Internet-exposed assets by regularly re-establishing outbound communications with the C&C infrastructure,” explains DART.
"We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while gaining persistence, which leads us to raise awareness of this often overlooked technique."
In the same announcement, Microsoft also added that Hafnium is targeting the Zoho Manage Engine Rest API authentication bypass vulnerability, to drop a Godzilla web shell with similar properties, which Unit42 also previously discovered.
Since August 2021, Microsoft adds, Hafnium has been targeting organizations in the telecommunications, internet service provider and data services industries, concluding that the group has broadened its focus.
Via: BleepingComputer