|
|
News from OSINT Training
Scheduled Tasks Hide Malware
Scheduling a task can save a lot of time. Whether you want your calendar to pull up to take on the day, automatically updating systems, or need to play the perfect playlist, scheduled tasks are a blessing. However, a new form of malware looks to take advantage of those scheduled tasks.
The malware will disguise itself, hiding behind scheduled tasks. Not only does it hide behind them, but it will also create a task to hide itself. The malware has been named Tarrask and is used by a Chinese-backed hacking group called Hafnium.
How Does Tarrask Work?
Executing an unknown Windows flaw, Tarrask is able to hide itself behind the task scheduled. It is able to do this through removing the Security Descriptor registry value and basically elevate itself in a user’s system. Once there, it can manifest itself to make things more difficult to remove and take out.
Once it is embedded on a system, it is difficult to remove. It maintains access even when a system is restarted and may have removed on-disk artifacts. No matter how many restarts are completed, the malware is still located behind those scheduled tasks.
Who is Affected?
Microsoft was the first to report the issue, and they had been monitoring the malware for roughly six months from August 2021 to February 2022. They found that telecom, internet service providers, and data service sectors were all victims of Tarrask.
While there are possibly more victims that haven’t come forward, it is interesting to see how such a simple piece of malware can manipulate different machines. Even though companies haven’t come out yet, at least Microsoft did release a security update to help patch up their devices.
Who is Hafnium?
Hafnium has completed attacks on Windows devices before, making them no stranger to the tech giant. It is proven they are a Chinese-backed hacker group that has come up recently, with one of the earlier incidents occurring in March 2021. Not only that, but they were also involved in a global scale exploitation using zero-day flaws.
The main victims Hafnium target are U.S. based. Not only are telecom and internet providers targets, but defense companies and researchers have also been targeted. Think tanks are also considered possible victims, given what information is available to them. Given the dynamic relationship between the U.S. and China, this chapter of espionage continues.
How to Combat the Malware
Malware can be difficult to remove, especially if you’re not sure where to look. Microsoft has provided step-by-step instructions on how to remove the malware affecting your device through their website.
If you cannot access the site, you can use Microsoft Defender Antivirus to remove the malware yourself. The malware can be identified with a Tarrask or Ligolo tag, along with ScheduledTaskHide command. From there, you can use the antivirus to remove the malware and ensure your device is clean and safe from further issues.
Best Malware Tools
Though Microsoft and other tech companies do a solid job at fixing security issues, it’s never a terrible idea to incorporate some added security. Whether you want to analyze a new string of malware or need to shore up your security protocols, these five malware tools are perfect for any situation:
- Cuckoo Sandbox
- Created in 2010, this tool has been a widely used malware analysis tool. It works for Windows, Linux, Android, and OS X systems, allowing for multiple types of uses. It takes files and isolates them in order to examine how the files act alone from everything else. Once that’s completed, it allows you to accept or delete suspicious files.
- Google Rapid Response (GRR)
- Malware tends to leave behind evidence, and this tool is perfect for catching shifty malware. It works like a reverse man-in-the-middle attack to section off malware and catch it. Once that’s completed, a security team can analyze the data and extinguish any future attempts.
- Remnux
- Linux users can utilize a variety of malware tools, and this one is no exception. If you want to find out how malware was made and how it works, this is the tool you’ll need to use. It allows you to look at browser-based malware, making it easy to determine what you’re dealing with and how to stop it.
- Yara Rules
- Classifying malware can give you the information you need to prevent zero-day attacks. Since most malware is built on older codes and pieced together, having the classification can give you a leg up on preventing attacks.
- Bro
- Mixing in an intrusion detection system, signature-based, and anomaly-based detections make this tool a powerful ally against malware. It can also allow you to conduct forensic investigations, network monitoring, and protocol analysis to ensure your network is secure from various types of malware.
Resources:
https://cyware.com/news/hafniums-new-malware-hides-behind-scheduled-tasks-2f9f7bdf
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
https://www.theregister.com/2022/04/14/microsoft-tarrask-malware-in-windows/
https://www.bleepingcomputer.com/news/security/microsoft-new-malware-uses-windows-bug-to-hide-scheduled-tasks/
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.cyberbit.com/blog/endpoint-security/open-source-malware-analysis-tools/
https://cuckoosandbox.org/
https://github.com/google/grr
https://remnux.org/
https://securityintelligence.com/signature-based-detection-with-yara/
https://zeek.org/
|
|
|
|
|
