Tarrask malware uses hidden scheduled tasks to maintain persistence on a Windows device after restart.
The Chinese state-sponsored threat actor Hafnium has been found using a brand new malware to maintain access on a breached Windows endpoint, with the help of hidden scheduled tasks, Microsoft has announced. The Microsoft Detection and Response Team (DART) says the group has been leveraging a so far unknown vulnerability (a zero-day) in its attacks. „Investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates ‚hidden‘ scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification,” DART explained. Tarrask hides its activity from „schtasks /query“ and Task Scheduler, by deleting any Security Descriptor registry value.
