Microsoft has just discovered new malware used by hackers from the Hafnium group, a collective affiliated with the Chinese government. This malware has the ability to maintain access of hacked devices through hidden scheduled tasks.
Since the start of the war in Ukraine, there has been an upsurge in cyberattacks carried out by hacker groups affiliated with the Chinese government. We know, for example, that Chinese hackers are taking advantage of the current conflict to recover sensitive data, in particular by posing as government entities.
More recently, hackers linked to China have hijacked the VLC media player to use it as a distributor of dangerous malware on the PCs of software users. However, the find of the day goes to Microsoft. The Redmond firm discovered a new malware used by the Hafnium hacker groupa collective supported by China.
Microsoft discovers malware that exploits zero-day flaws in Windows
According to the statements of the American company, this group is currently exploiting unidentified zero-day vulnerabilities in Windows 11 and 10 to disseminate malware called Tarrask. Obviously, this malware is capable of creating “hidden” scheduled tasks as well as subsequent commands to remove the attributes of the tasks in question. The goal is to hide them from the eyes of traditional means of detection.
As Microsoft explains, the hacker group used these “hidden” scheduled tasks to maintain access to hacked devices, even after a full reset, re-establishing broken connections with the C2 command and control infrastructure. These hidden tasks can only be found after close scrutiny in the windows registry editorespecially looking for scheduled tasks without an SD (Security Description) value in their task key.
Note that administrators can also enable Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs to verify key items related to tasks “hidden” by Tarrask malware. “We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, leading us to raise awareness around this regularly used technique.” concludes Microsoft in its press release. As a reminder, the United States recently countered a world-class cyberattack by removing Russian malware present in the systems of many American companies and institutions. Microsoft had participated in the war effort.