Hafnium Tarrask malware uses scheduled tasks for defense evasion

Apr 13, 2022

Staff

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog.

Microsoft observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring 2021.

Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.

The blog outlines the simplicity of the malware technique Tarrask uses, while highlighting that scheduled task abuse is a very common method of persistence and defense evasion—and an enticing one, at that. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, how the malware’s evasion techniques are used to maintain and ensure persistence on systems, and how to protect against this tactic.

Read more:

Tarrask malware uses scheduled tasks for defense evasion | Microsoft Security Blog

Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, and how the malware's evasion techniques...

www.microsoft.com

Click to expand...

You must log in or register to reply here.

Similar threads

Article

Microsoft warns about Storm-0324 malware distributed through Teams chats

Replies: 1

Views: 400

Sep 13, 2023

flashh4

Article

Malicious ad served inside Bing Chat

Replies: 0

Views: 447

Sep 29, 2023

Brink

Article

3 Zero Trust strategies for cyber resilience with Surface devices

Replies: 0

Views: 572

Sep 27, 2023

Brink

Article

What is New in Microsoft Teams for October 2023

Replies: 0

Views: 331

Oct 31, 2023

Brink

Article

What is New in Microsoft 365 app for December 2023

Replies: 0

Views: 352

Dec 13, 2023

Brink

Completely Disable and Remove Copilot in Windows 11

This tutorial will show you how to completely disable the Windows Copilot feature and remove Copilot from the taskbar, Windows Search, and Microsoft Edge...
Brink

Mar 7, 2024
Enable or Disable Sudo Command in Windows 11

This tutorial will show you how to enable or disable the Sudo command for all users in Windows 11. Starting with Windows 11 build 26052 (Canary and Dev)...
Brink

Feb 8, 2024
Enable or Disable Feeds on Widgets Board in Windows 11

This tutorial will show you how to enable or disable news feeds on the widgets board for your account in Windows 11. Widgets are small windows that display...
Brink

Dec 4, 2023
Use ViVeTool to Enable or Disable Hidden Features in Windows 11

This tutorial will show you how to use ViVeTool to enable or disable hidden features in Windows 10 and Windows 11. ViVeTool is an open source tool that can...
Brink

Dec 1, 2023
Always or Never Combine Taskbar buttons and Hide Labels in Windows 11

This tutorial will show you how to always, when the taskbar is full, or never combine taskbar buttons and hide labels for your account, specific users, or...
Brink

May 24, 2023
Disable Modern Standby in Windows 10 and Windows 11

This tutorial will show you how to disable Modern Standby (S0 Low Power Idle) to enable S3 support on a Windows 10 and Windows 11 device. In Windows 10 and...
Brink

Jan 11, 2022
Disable "Show more options" context menu in Windows 11

This tutorial will show you how to enable or disable having to click on "Show more options" to see the full context menu for your account or all users in...
Brink

Oct 4, 2021
Download Official Windows 11 ISO file from Microsoft

This tutorial will show you how to download an official Windows 11 ISO file from Microsoft. Microsoft provides ISO files for Windows 11 to download. You...
Brink

Aug 19, 2021
Restore Classic File Explorer with Ribbon in Windows 11

This tutorial will show you how to restore the classic File Explorer with Ribbon for your account or all users in Windows 11. File Explorer in Windows 10...
Brink

Jul 19, 2021
Repair Install Windows 11 with an In-place Upgrade

This tutorial will show you how to do a repair install of Windows 11 by performing an in-place upgrade without losing anything. If you need to repair or...
Brink

Jul 5, 2021
Enable or Disable Windows Sandbox in Windows 11

This tutorial will show you how to enable or disable the Windows Sandbox feature for all users in Windows 11 Pro, Enterprise, or Education. Windows Sandbox...
Brink

Jun 30, 2021
Clean Install Windows 11

This tutorial will show you step by step on how to clean install Windows 11 at boot on your PC with or without an Internet connection and setup with a local...
Brink

Jun 22, 2021