Security News > 2022 > April > Microsoft: New malware uses Windows bug to hide scheduled tasks
Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.
"Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification."
This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from "Schtasks /query" and Task Scheduler by deleting the associated Security Descriptor registry value.
The threat group used these "Hidden" scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control infrastructure.
The "Hidden" tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD Value within their Task Key.
Evtx logs to check for key events linked to tasks "Hidden" using Tarrask malware.
News URL
Related news
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Microsoft admits GitHub hosted malware that infected almost a million devices (source)
- Microsoft lifts Windows 11 update block for some AutoCAD users (source)
- Microsoft replacing Remote Desktop app with Windows App in May (source)
- Microsoft: Recent Windows updates make USB printers print random text (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Microsoft: March Windows updates mistakenly uninstall Copilot (source)
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Microsoft fixes Windows update bug that uninstalled Copilot (source)
- Microsoft lifts Windows 11 upgrade block after Asphalt 8 crash fix (source)