Microsoft: Chinese Tarrask Malware Targeting Windows PCs
Microsoft has linked the Chinese state-sponsored group Hafnium to a new malware that uses a zero-day vulnerability as an attack vector on Windows PCs. The same hacking group was blamed for hacking the exchange servers in the UK and US in 2021.
Tarrask malware creates scheduled tasks on Windows-run computers to remain in the system after a reboot. It uses the Windows Task Scheduler, a tool employed regularly by system administrators to automate tasks such as OS and software updates.
Microsoft also found that Russian used the same tactics for the attack on SolarWinds. The attack on the US IT company has left many of its clients vulnerable in 2022.
“Throughout the course of our research, we’ve found that threat actors commonly make use of this service to maintain persistence within a Windows environment,” Microsoft said in its security blog post.
“We’ve noted that the Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism,” added Microsoft.
Chinese hackers used the scheduler as part of a multi-stage attack targeting the Zoho Manage Engine authentication bypass vulnerability in this particular situation. By doing so, they implanted a Godzilla web shell, a malware that examines inbound HTTP POST requests and uses a secret key to decrypt data and remotely execute. Then the results are sent to hackers via an HTTP response.
Microsoft has published instructions on how you can manually check the Windows system registry to see if your system has been affected by these maliciously created tasks. The company also recognized that hackers have a "unique understanding of the Windows subsystem" and used it to their advantage to hide their malware in the open.
Your email address will not be published.*