Security researchers at Microsoft have uncovered a new malware being employed by the Chinese-state sponsored Hafnium group, that maintains persistence on compromised Windows devices by creating and obfuscating scheduled tasks. The Hafnium group was linked to last year’s worldwide exploitation of the ProxyLogon zero-day flaws that impacted Microsoft Exchange Servers. These threat actors have targeted organizations in multiple critical infrastructure sectors. The new malware, dubbed Tarrask, “creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification,” to remain on Windows system after a reboot, according to Microsoft. Threat actors commonly exploit scheduled tasks to automate specific tasks while achieving persistence. Adversaries could utilize this method of evasion to maintain access to high value targets and likely remain undetected. This could be especially problematic for systems that are infrequently rebooted, such as domain controllers and database servers. Microsoft’s advisory on this activity lists further technical details including indicators of compromise and mitigation recommendations. For more information access the full advisory here or read more at BleepingComputer.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!