Microsoft details how China-linked crew's malware hides scheduled Windows tasks

All so that it can maintain backdoor access across reboots


The China-linked Hafnium cyber-gang is using a strain of malware to maintain a persistent presence in compromised Windows systems by creating hidden tasks that maintain backdoor access even after reboots.

Researchers within Microsoft's Detection and Response Team (DART) and Threat Intelligence Center (MTIC) spotted the software nasty, dubbed Tarrask, creating undesirable scheduled tasks via Windows Task Scheduler, which is typically used by IT administrators to automate such chores as updating programs, tidying up file systems, and starting certain applications.

The malware is part of a larger multi-stage attack against organizations that exploits an authentication bypass in the snappily named ManageEngine ADSelfService Plus, Zoho's password-management and single-sign-on offering for Active Directory environments; this bypass vulnerability is tracked as CVE-2021-40539. The Unit42 group at Palo Alto Networks in November wrote about this security hole and how it was being exploited by miscreants to install remote-control backdoors – namely, the Godzilla webshell – and other malware in networks.

This week, Microsoft's researchers revealed in a blog post that they have been watching the Hafnium crew exploit the vulnerability from August 2021 to February this year to target companies in the telecommunications, internet service provider, and data services industries with Godzilla implants.

A deeper investigation by Microsoft found evidence that Impacket tools were also used by Hafnium for lateral movement through victims' IT environments as well as the task-scheduling software nasty Tarrask.

This latter malware creates hidden tasks to ensure remote access to compromised devices is maintained across reboots: if a machine is restarted, a task is defined to automatically reestablish a backdoor connection with Hafnium's command-and-control servers. Whether Tarrask uses the Task Scheduler graphical user interface or the "schtasks" command-line utility, it generates artifacts on the system that IT staff can be on the look-out for as they indicate there may have been an intrusion. The hidden task itself is called WinUpdate.

To hide this task, Tarrask obtains SYSTEM-level privileges via token theft, and deletes the tasks' security descriptor registry values. This makes the tasks disappear from view in the GUI and schtasks; manually inspecting the registry will reveal the hidden tasks.

The detection of Tarrask highlights the continuing abuse of task-scheduling tools by threat actors to maintain persistence in compromised systems. Researchers with LogRhythm wrote in a blog post two years ago that hackers like the OS's scheduled tasks capabilities because "they are present on all Windows operating systems, they are easy to use, and most users do not even realize they're present. Even those who are aware might struggle to work out which tasks are valid parts of the OS or applications they have installed, and which, if any, are malicious."

The Microsoft researchers said job and task schedules have been in Windows for years and the abuse by Hafnium exhibited the crew's deep understanding of the Windows' subsystem and ability to mask Tarrask's operations while maintaining persistence.

"As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence," they wrote.

John Bambenek, principal threat hunter at cybersecurity firm Netenrich, told The Register that advanced persistent threat (APT) actors often look for ways to maintain "subtle access to an environment. In this case, a hidden scheduled task could re-establish access for the attacker after an expulsion event. It probably isn't a problem in the sense of the number of victims. However, if you're a nation-state target, you want to pay attention to this."

Double trouble

According to Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber, the threat of such malware is two-fold.

"First, by adding a scheduled task to regain any lost access, they achieve persistence on the target," Parkin told The Register. "Second, by hiding the scheduled task, they make it much more difficult to identify and remediate the threat."

That said, while the task itself is essentially hidden from view, it still has artifacts in the Windows Registry that can be identified and dealt with, he said. It can be time-consuming if done manually, and there are automated tools that can examine the registry to highlight or automatically remove suspicious entries.

The Microsoft analysts wrote that bad actors will use this evasion method to keep access to high-value targets while remaining undetected, and that this can be a problem for systems such as domain controllers and database servers that aren't frequently rebooted.

They outlined steps enterprises can take to detect and defend against such malware, including modifying the audit policy to identify scheduled task actions and enabling and centralizing Task Scheduler logs. They also listed indicators of compromise for those wishing to find out if they've been targeted by the cyber-gang.

"Even if the tasks are 'hidden', these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism," The Microsofties wrote.

They also recommended monitoring uncommon behavior of outbound communications and ensuring that monitoring and alerting for such connections from critical Tier 0 and Tier 1 assets are in place. ®


Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022