Tarrask Malware Hides in Scheduled Windows Tasks
Researchers from Microsoft’s Detection and Response Team (DART) and Threat Intelligence Center (MTIC) have detected malware that hides in Windows scheduled tasks to evade detection. Dubbed Tarrask, the malware is believed to be used by the Hafnium Chinese state-backed hacking group. Tarrask is able to maintain persistence even after reboots.
This reminds me of the 3:50am alarm I set for an early flight that I thought I had killed but still manages randomly come on every now and then. Mitigation here is pretty straightforward – know what legitimate scheduled tasks are in use and audit for discrepancies and tasks that are attempted to hide from simple listing.
The tasks are hidden due to a bug in Windows where tasks without a security descriptor are not displayed with traditional checks like "schtasks /query." The good news is you can scan the registry to find them, or enable Secuirty.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs in which you can then look for key events related to the malware. The trick is you need to know what's expected to identify anomalies reliably. Leverage the IOC's in the Unit 42 post below to aid detection and thwart C2 channels.
Read more in
Microsoft: Tarrask malware uses scheduled tasks for defense evasion
Unit 42 Palo Alto Networks: Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer (November 2021)
The Register: Microsoft details how China-linked crew's malware hides scheduled Windows tasks
Bleeping Computer: Microsoft: New malware uses Windows bug to hide scheduled tasks