Security News > 2022 > April > Microsoft: New malware uses Windows bug to hide scheduled tasks

Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.
"Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification."
This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from "Schtasks /query" and Task Scheduler by deleting the associated Security Descriptor registry value.
The threat group used these "Hidden" scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control infrastructure.
The "Hidden" tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD Value within their Task Key.
Evtx logs to check for key events linked to tasks "Hidden" using Tarrask malware.
News URL
Related news
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- Microsoft has finally fixed Date & Time bug in Windows 11 (source)
- Microsoft shares workaround for Windows security update issues (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- Microsoft to remove the Location History feature in Windows (source)