How to detect the Windows Tarrask Malware that uses a bug to avoid detection

Contents hide

Microsoft posted information about a new malware on its security website on April 12, 2022. The malware, called Tarrask, takes advantage of a bug in the Windows task scheduling system to evade detection.

Tarrask is used by the Hafnium hacking group, which in the past focused on the telecommunications, internet service providers, and data services sector.

The group uses zero-day vulnerabilities for its attacks to get into computer systems. Once a system has been successfully attacked, a bug in Windows is used to hide traces of the malware and make detection more difficult. Tarrask uses the bug to create scheduled tasks that are hidden to avoid detection and probably also for persistence.

Windows Task Scheduler is used by the system and by applications to start tasks, for example, to check for updates or perform maintenance operations. Applications can add tasks to Task Scheduler, as long as they are running with sufficient rights to do so. Tasks are often used by malware, according to Microsoft, to “maintain persistence within a Windows environment.”

Read This Now: How to Control My Android Mobile From the PC - Step by Step Tutorial

Tasks can be analyzed by starting the Task Scheduler tool in Windows. Tarrask uses a bug to hide its task from the tool and also the “schtasks /query” command line option, which returns a list of existing scheduled tasks. To avoid detection, Tarrask removes the Task Security Descriptor value from the Windows Registry; this results in the disappearance of the task from Task Scheduler and from the command line tool. In other words: a careful inspection of all tasks using any of the tools will not reveal malicious tasks.

Tarrask detection on Windows systems

The malware does not delete the task information completely as traces are still recorded in the system registry. Microsoft suspects that the hacking group left data in the Registry to make the malware persistent, or that the group was unaware that the task would “continue to run” after removing the SD component.

Windows administrators can analyze scheduled task information in the System Registry to find out if a system is infected with Tarrask malware:

Use the keyboard shortcut Windows-R to display the run box.
Type regedit.exe and press the Enter key.
Navigate to the path HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree. Gets the list of scheduled tasks that exist on the system.
Review each task to determine if one appears with no SD value.

Read This Now: How to connect your PS5 controller to your Android smartphone - Easy Steps

If a task with no SD value is found, it is a hidden task that is not displayed in Task Scheduler or the command line utility. The task cannot be killed normally, as it runs within the context of the SYSTEM user. Attempts to delete the task will fail with an access denied error message.

The latest version of Microsoft’s Windows Defender security app detects malware. Microsoft added a new watch event to Windows Defender that detects hidden tasks; these are marked as Behavior:Win32/ScheduledTaskHide.A later by the application.

Microsoft recommends that system administrators adopt the following security recommendations and guidelines to detect malware using the attack vector:

List the Windows environment registry hives by looking in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree registry hive and identify scheduled tasks without the SD (security descriptor) value within the task key. Analyze these tasks as needed.
Modify your audit policy to identify scheduled task actions by enabling “TaskOperational” logging within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings appropriate for your environment.
Enable and centralize the following Task Scheduler logs. Even if the tasks are “hidden”, these logs track key events related to them that could lead to discovering a well-hidden persistence mechanism.
ID of event 4698 inside the Security.evtx log
Registro de Microsoft-Windows-TaskScheduler/Operational.evtx
Threat actors in this campaign used hidden scheduled tasks to maintain access to critical Internet-exposed assets by regularly re-establishing outgoing communications with the C&C infrastructure. Stay alert and monitor for unusual behavior of your outbound communications by ensuring monitoring and alerts for these Tier 0 and Tier 1 critical asset connections are in place.

Other malware can also exploit the bug to avoid detection.

Read This Now: How to disable display scaling on high DPI settings in Windows 11 or 10

Now you: What security software do you use?

advertising