Security News > 2022 > April > Microsoft: New malware uses Windows bug to hide scheduled tasks

Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.
"Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification."
This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from "Schtasks /query" and Task Scheduler by deleting the associated Security Descriptor registry value.
The threat group used these "Hidden" scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control infrastructure.
The "Hidden" tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD Value within their Task Key.
Evtx logs to check for key events linked to tasks "Hidden" using Tarrask malware.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- Microsoft to remove the Location History feature in Windows (source)
- Microsoft testing fix for Windows 11 bug breaking SSH connections (source)
- Microsoft launches ad-supported Office apps for Windows users (source)
- Microsoft tests ad-supported Office apps for Windows users (source)
- Microsoft fixes Outlook drag-and-drop broken by Windows updates (source)