Select Page

The Chinese-backed Hafnium hacking group has been linked to a piece of a new malware that’s used to maintain persistence on compromised Windows environments.

The threat actor is said to have targeted entities in the telecommunication, internet service provider and data services sectors from August 2021 to February 2022, expanding from the initial victimology patterns observed during its attacks exploiting the then zero-day flaws in Microsoft Exchange Servers in March 2021.

Microsoft Threat Intelligence Centre (MSTIC), which dubbed the defence evasion malware “Tarrask,” characterized it as a tool that creates “hidden” scheduled tasks on the system. “Scheduled task abuse is a very common method of persistence and defence evasion — and an enticing one, at that,” the researchers said.

Hafnium, while most notable for Exchange Server attacks, has since leveraged unpatched zero-day vulnerabilities as initial vectors to drop web shells and other malware, including Tarrask, which creates new registry keys within two paths Tree and Tasks upon the creation of the scheduled tasks –

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

images from Hacker News