Security News > 2022 > April > Microsoft details how China-linked crew's malware hides scheduled Windows tasks

The China-linked Hafnium cyber-gang is using a strain of malware to maintain a persistent presence in compromised Windows systems by creating hidden tasks that maintain backdoor access even after reboots.

Researchers within Microsoft's Detection and Response Team and Threat Intelligence Center spotted the software nasty, dubbed Tarrask, creating undesirable scheduled tasks via Windows Task Scheduler, which is typically used by IT administrators to automate such chores as updating programs, tidying up file systems, and starting certain applications.

This latter malware creates hidden tasks to ensure remote access to compromised devices is maintained across reboots: if a machine is restarted, a task is defined to automatically reestablish a backdoor connection with Hafnium's command-and-control servers.

Researchers with LogRhythm wrote in a blog post two years ago that hackers like the OS's scheduled tasks capabilities because "They are present on all Windows operating systems, they are easy to use, and most users do not even realize they're present. Even those who are aware might struggle to work out which tasks are valid parts of the OS or applications they have installed, and which, if any, are malicious."

We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence," they wrote.

John Bambenek, principal threat hunter at cybersecurity firm Netenrich, told The Register that advanced persistent threat actors often look for ways to maintain "Subtle access to an environment. In this case, a hidden scheduled task could re-establish access for the attacker after an expulsion event. It probably isn't a problem in the sense of the number of victims. However, if you're a nation-state target, you want to pay attention to this."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/14/microsoft-tarrask-malware-in-windows/