China-backed collective tagged Hafnium (sometimes referred to as APT) has been spotted launching attacks on devices running Windows. The tool they used to generate “hidden” scheduled tasks and establish persistence within Windows instances under attack is dubbed Tarrask malware. Experts report about Internet and data providers being attacked extensively, within the most active attack time frame between late Summer 2021 – early Spring 2022.
The following Sigma-based rule released by SOC Prime’s Threat Bounty developer Aytek Aytemur detects the presence of Tarrask malware in your system by identifying methods used to wipe SD in Command Prompt:
This detection is available for 21 SIEM, EDR & XDR platforms.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) and Scheduled Task/Job (T1053) as the primary techniques.
To detect whether your system was compromised with novel devastating malicious strains, check the full list of rules available in SOC Prime’s platform. Are you a professional threat hunter? Become a part of our crowdsourcing initiative that brings continuous rewards and recognition with the Threat Bounty program.
Tarrask is designed to abuse Windows Task Scheduler, a handy job-scheduling tool to enable automated scheduled tasks for admin needs.
The newly detected malicious strain builds up scheduled tasks that are hard to detect, along with a set of tools abusing the SCHTASKS command-line tool or the Task Scheduler application. Leveraging this malware, adversaries add new registry keys within the chosen paths, Tree and Tasks, upon creating a new task. Adversaries maintain stealthy persistence in the breached infrastructure, ensuring that Tarrask’s malicious activities stay under the user’s radar.
Tarrask malware attacks are carried out by Hafnium a state-backed threat actor that operates from China, Microsoft researchers report. The analyzed attacks within a half-year time span show that Hafnium hackers have a deep grasp of the Windows subsystem and leverage that knowledge to conceal their malicious activity on infected endpoints while establishing persistence.
Microsoft has been closely following Hafnium operations since adversaries’ Microsoft Exchange Server abuse, and the scheduled tasks service component becoming an easy and wanted prey for the gang. Besides, Hafnium’s favorite initial attack vector is leveraging unpatched zero-day flaws, deploying malware, and building up an elaborate persistence mechanism.
To enhance the cyber defense of your organization against this or other existing or upcoming threats, register for the SOC Prime’s Detection as Code platform. Hunt for threats within your security environment and improve log source and MITRE ATT&CK coverage to take your defense against attacks to the next level.