Security News > 2022 > April > Microsoft: New malware uses Windows bug to hide scheduled tasks

Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.

"Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification."

This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from "Schtasks /query" and Task Scheduler by deleting the associated Security Descriptor registry value.

The threat group used these "Hidden" scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control infrastructure.

The "Hidden" tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD Value within their Task Key.

Evtx logs to check for key events linked to tasks "Hidden" using Tarrask malware.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-new-malware-uses-windows-bug-to-hide-scheduled-tasks/