Microsoft sounds the alarm over new cunning Windows malware
Chinese criminals are abusing a brand new Windows flaw
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The Chinese state-sponsored threat actor Hafnium has been found using a brand newmalwareto maintain access on a breached Windows endpoint, with the help of hidden scheduled tasks,Microsofthas announced.
The Microsoft Detection and Response Team (DART) says the group has been leveraging a so far unknown vulnerability (azero-day) in its attacks.
“Investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates ‘hidden’ scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification,” DART explained.
We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.
Click here to start the survey in a new window«
Spotting the malware
Tarrask hides its activity from “schtasks /query” and Task Scheduler, by deleting any Security Descriptor registry value.
The Chinese criminals have been using these hidden tasks to re-establish the connection to C2 after the device restarts.
One of the ways to find the hidden tasks is to manually inspect Windows Registry for scheduled tasks without a Security Descriptor Value in their Task Key, it was further explained.
Another way to spot the malware is to enable the Security.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs and look for key events, in connection to any tasks “hidden” using Tarrask.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The Redmond giant has also recommended enabling logging for ‘TaskOperational’ in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye out for outbound connections from critical Tier 0 and Tier 1 assets.
US warns Chinese hackers have their ‘most advanced’ backdoor yet>Chinese hackers are reportedly now deploying malware on targets in Russia>This new custom macOS malware seizes control of your Google Drive account
“The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishingoutbound communicationswith C&C infrastructure,” DART says.
“We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”
In the same announcement, Microsoft also added that Hafnium targeted the Zoho Manage Engine Rest API authentication bypass vulnerability, to place a Godzilla web shell with similar properties, something Unit42 previously discovered, as well.
Since August 2021, Microsoft adds, Hafnium has been targeting organizations in the telecommunication, internet service provider and data services sectors, concluding that the group broadened its scope of interest.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere
