Skip links

Microsoft details how China-linked crew’s malware hides scheduled Windows tasks

The China-linked Hafnium cyber-gang is using a strain of malware to maintain a persistent presence in compromised Windows systems by creating hidden tasks that maintain backdoor access even after reboots.

Researchers within Microsoft’s Detection and Response Team (DART) and Threat Intelligence Center (MTIC) spotted the software nasty, dubbed Tarrask, creating undesirable scheduled tasks via Windows Task Scheduler, which is typically used by IT administrators to automate such chores as updating programs, tidying up file systems, and starting certain applications.

The malware is part of a larger multi-stage attack against organizations that exploits an authentication bypass in the snappily named ManageEngine ADSelfService Plus, Zoho’s password-management and single-sign-on offering for Active Directory environments; this bypass vulnerability is tracked as CVE-2021-40539. The Unit42 group at Palo Alto Networks in November wrote about this security hole and how it was being exploited by miscreants to install remote-control backdoors – namely, the Godzilla webshell – and other malware in networks.

This week, Microsoft’s researchers revealed in a blog post that they have been watching the Hafnium crew exploit the vulnerability from August 2021 to February this year to target companies in the telecommunications, internet service provider, and data services industries with Godzilla implants.

A deeper investigation by Microsoft found evidence that Impacket tools were also used by Hafnium for lateral movement through victims’ IT environments as well as the task-scheduling software nasty Tarrask.

This latter malware creates hidden tasks to ensure remote access to compromised devices is maintained across reboots: if a machine is restarted, a task is defined to automatically reestablish a backdoor connection with Hafnium’s command-and-control servers. Whether Tarrask uses the Task Scheduler graphical user interface or the “schtasks” command-line utility, it generates artifacts on the system that IT staff can be on the look-out for as they indicate there may have been an intrusion. The hidden task itself is called WinUpdate.

To hide this task, Tarrask obtains SYSTEM-level privileges via token theft, and deletes the tasks’ security descriptor registry values. This makes the tasks disappear from view in the GUI and schtasks; manually inspecting the registry will reveal the hidden tasks.

The detection of Tarrask highlights the continuing abuse of task-scheduling tools by threat actors to maintain persistence in compromised systems. Researchers with LogRhythm wrote in a blog post two years ago that hackers like the OS’s scheduled tasks capabilities because “they are present on all Windows operating systems, they are easy to use, and most users do not even realize they’re present. Even those who are aware might struggle to work out which tasks are valid parts of the OS or applications they have installed, and which, if any, are malicious.”

The Microsoft researchers said job and task schedules have been in Windows for years and the abuse by Hafnium exhibited the crew’s deep understanding of the Windows’ subsystem and ability to mask Tarrask’s operations while maintaining persistence.

“As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence,” they wrote.

John Bambenek, principal threat hunter at cybersecurity firm Netenrich, told The Register that advanced persistent threat (APT) actors often look for ways to maintain “subtle access to an environment. In this case, a hidden scheduled task could re-establish access for the attacker after an expulsion event. It probably isn’t a problem in the sense of the number of victims. However, if you’re a nation-state target, you want to pay attention to this.”

Double trouble

According to Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber, the threat of such malware is two-fold.

“First, by adding a scheduled task to regain any lost access, they achieve persistence on the target,” Parkin told The Register. “Second, by hiding the scheduled task, they make it much more difficult to identify and remediate the threat.”

That said, while the task itself is essentially hidden from view, it still has artifacts in the Windows Registry that can be identified and dealt with, he said. It can be time-consuming if done manually, and there are automated tools that can examine the registry to highlight or automatically remove suspicious entries.

The Microsoft analysts wrote that bad actors will use this evasion method to keep access to high-value targets while remaining undetected, and that this can be a problem for systems such as domain controllers and database servers that aren’t frequently rebooted.

They outlined steps enterprises can take to detect and defend against such malware, including modifying the audit policy to identify scheduled task actions and enabling and centralizing Task Scheduler logs. They also listed indicators of compromise for those wishing to find out if they’ve been targeted by the cyber-gang.

“Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism,” The Microsofties wrote.

They also recommended monitoring uncommon behavior of outbound communications and ensuring that monitoring and alerting for such connections from critical Tier 0 and Tier 1 assets are in place. ®