Chinese state-sponsored threat group Hafnium has targeted telecommunications, data services, and internet services sectors between August 2021 and February 2022 with the new Tarrask malware aimed at establishing persistence on Windows systems, reports The Hacker News.
Microsoft Threat Intelligence Center researchers discovered that Hafnium leveraged Microsoft Exchange Server zero-day vulnerabilities to deploy the Tarrask malware, which creates hidden scheduled tasks to evade detection before establishing new registry keys, as well as other web shells.
"In this scenario, the threat actor created a scheduled task named 'WinUpdate' via HackTool:Win64/Tarrask in order to re-establish any dropped connections to their command-and-control (C&C) infrastructure," said researchers.
However, Hafnium omitted the security descriptor value from the Tree registry path to make the task seemingly invisible unless evaluated through the Registry Editor.
"The attacks [...] signify how the threat actor Hafnium displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight," they added.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news