A new tool to hide the existence of scheduled tasks is being used by the Chinese-backed Hafnium group, according to recently released research by Microsoft. Hafnium is a group believed to be state-sponsored in China and who primarily targets entities in the United States across a number of industry sectors.
The tool, dubbed Tarrask, uses a previously unknown Windows bug to hide tasks from the schtasks.exe executable and Task Scheduler. It does this by deleting the associated Security Descriptor registry value that is created automatically upon task creation. If this registry key is deleted, the only way to view the scheduled task is via the Registry, allowing the threat actor to hide the existence of its persistence mechanism in an effective manner. Not only does it prevent the task from being viewable using normal processes, it also prevents the deletion of the task unless executed under the context of the SYSTEM user.
Further deletion of Registry keys located in the same path could have allowed the threat actors to remove all on-disk artifacts associated with the task, while still allowing it to execute. However, according to Microsoft, this would only allow the task to run until the system rebooted, so it could be that the threat actors wanted their task to persist through reboots or were unaware of this additional capability.
Analyst Notes
It is recommended for organizations to validate whether they have been infected with this tool by enumerating the appropriate Registry keys. The Registry path that contains task information is as follows:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree
From here, it is recommended to enumerate all keys, looking for any task keys that do not contain an “SD” (security descriptor) value. If any are found, further analysis should be performed to determine what activity that task is performing. Similarly, appropriate endpoint logging and monitoring should be in place, specifically any logging pertaining to the removal of Registry keys. By monitoring for the removal of this Registry value, an organization can be alerted to a potential malware infection as it is occurring. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
