Security News > 2022 > April > Microsoft: New malware uses Windows bug to hide scheduled tasks
Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.
"Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification."
This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from "Schtasks /query" and Task Scheduler by deleting the associated Security Descriptor registry value.
The threat group used these "Hidden" scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control infrastructure.
The "Hidden" tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD Value within their Task Key.
Evtx logs to check for key events linked to tasks "Hidden" using Tarrask malware.
News URL
Related news
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft: Windows 11 22H2 Home and Pro reached end of servicing (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Microsoft blocks Windows 11 24H2 on two ASUS models due to crashes (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Microsoft fixes Windows 10 bug causing apps to stop working (source)
- Microsoft wants $30 if you want to delay Windows 11 switch (source)
- Microsoft delays Windows Recall again, now by December (source)