The infamous Hafnium hacking group, which wreaked havoc on Microsoft Exchange servers, is back. But this time, Microsoft is well aware of the state-sponsored threat actor group’s activities. The company knows the group is utilizing "Tarrask" malware to target and consistently weaken defenses of the Windows operating system.
The Hafnium group is utilizing Tarrask, a "defense evasion malware", to evade Windows defenses and ensure compromised environments remain vulnerable, explained the Microsoft Detection and Response Team (DART) in a blog post:
As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages un-patched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates "hidden" scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.
Microsoft is actively tracking Hafnium"s activities and is aware the group is using novel exploits within the Windows subsystem. The group is apparently exploiting a previously unknown Windows bug to hide the malware from "schtasks /query" and Task Scheduler.
The malware successfully evades detection by deleting the associated Security Descriptor registry value. Simply put, an as-yet-unpatched Windows Task Scheduler bug is helping the malware clean up its trails, and make sure that its on-disk artifacts (remnants of activities) aren’t around to reveal what"s going on.
Technical jargon aside, the group seems to be using "hidden" scheduled tasks to retain access to compromised devices even after multiple reboots. As with any malware, even Tarrask re-establishes dropped connections to Command-and-Control (C2) infrastructure.
Microsoft’s DART has not only issued a warning but has also recommended enabling logging for "TaskOperational" within the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This should help admins lookout for suspicious outbound connections from critical Tier 0 and Tier 1 assets.