Microsoft: These hackers are using a simple trick to hide their Windows malware

Attackers with a "unique understanding" of the Windows subsystem are using it to mask their activities.
Written by Liam Tung, Contributing Writer

Microsoft has exposed Tarrask, a piece of malware from a likely China-backed, state-sponsored hacking group that targets Windows machines by creating invisible scheduled software updates.

The Windows maker has attributed the malware to Hafnium, the same hacking group that the US and UK blamed on Exchange Server hacks last year.    

Tarrask is a simple piece of malware that creates unwanted scheduled tasks on Windows machines to remain on it after a reboot. The malware utilizes the Windows Task Scheduler, which admins can legitimately use to automate tasks such as software updates for browsers and other apps, but in this case the attackers are using it for nefarious reasons. 

SEE: Windows 11 security: How to protect your home and small business PCs

Scheduled tasks have become a popular manner of hacking Windows machines for persistence. Microsoft found the Russian hackers behind the SolarWinds supply chain hack were also using scheduled tasks to gain persistence on a machine.     

"We've found that threat actors commonly make use of this service to maintain persistence within a Windows environment," Microsoft notes in a blogpost, and despite its "simplicity" it's effective.

Tarrask malware generates certain registry keys upon the creation of a scheduled task, whether using the Task Scheduler graphical user interface or the schtasks command line utility.

In this case, the use by hackers of Windows Task Scheduler was part of a broader attack on the Zoho Manage Engine Rest API authentication bypass vulnerability, tracked as CVE-2021-40539. Microsoft was tracking exploitation of this bug in November because China-backed hackers were using Zoho's password management and single sign-on software to compromise Windows machines with the Godzilla web shell. 

Microsoft says Hafnium hackers were using this combination of legitimate Windows services and Zoho's bug from August 2021 to February 2022 to target organizations in the telecommunication, internet service provider and data services sector. In mid-2021, the group had targeted disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Tarrask creates hidden scheduled tasks, but also creates additional actions in order to hide the scheduled tasks from detection by antivirus. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Microsoft offers instructions as to how defenders can manually check the registry tree to see whether attackers have created these unwanted scheduled tasks.  

Microsoft acknowledges that Hafnium hackers have developed a "unique understanding of the Windows subsystem" and use it to "hide in plain sight". 

As Microsoft notes, the methods used by this attack group are "problematic" for systems that don't get rebooted that often. These can include critical systems like domain controllers and database servers. 

Microsoft has some steps for admins to take to ensure these hidden scheduled tasks can be detected.

"The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place," it said. 

Editorial standards