OVERVIEW
Tarrask is a malware variant being used by the Hafnium group in order to achieve persistence via abuse of Windows scheduled tasks. First appearing in April of 2022, Tarrask creates “hidden” scheduled tasks to obfuscate tasks curated by the threat actor.
TARGETING
The operators of Tarrask, Chinese state actor ‘Hafnium’, has been observed to target think tanks, defense contractors, non-profits and researchers. With the discovery of Tarrask, their targets have been seen to expand to those in the telecommunication, internet service provider and data services sector.
DELIVERY
Delivery of Tarrask has been identified by Microsoft researchers as a part of the exploitation of a authentication bypass vulnerability that exists in environments utilizing ManageEngine ADSelfService Plus.
INSTALLATION
Tarrask has been observed to abuse Windows task Scheduler and create scheduled tasks (and hide) in order to maintain persistence within an environment. There are several registry keys created within observed paths and an extensionsless XML file create within C:\Windows\System32\Tasks.
Tarrask also hides the tasks by deleting Security Descriptors values within the registry paths, which “hides” the tasks when ‘schtasks /query’ is run and within Task Schedulder itself.
PERSISTENCE
Persistence is achieved by the creation of the scheduled task, and in turn the adding of the registry keys in the paths below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID}
The scheduled task allows the re-establishing of any connections that are dropped to their C2.
Tarrask Threat Update
April 2022 – Microsoft discovered a new malware variant named Tarrask being used by the Hafnium group in order to achieve persistence via abuse of scheduled tasks – the malware was found as a part of the exploitation of a authentication bypass vulnerability that exists in environments utilizing ManageEngine ADSelfService Plus. Due to their track record and the potential abuse of unpatched zero-day vulnerabilities, Microsoft looks at them as high-priority. The targeted industries have been observed to be expanded as well, targeting those in the telecommunication, internet service provider and data services sector. With this new vulnerability becoming uncovered, it is important to ascertain and prepare your environment as more information is discovered.
The Hafnium threat group is a Chinese state-sponsored threat group that very publicly exploited critical vulnerabilities in Microsoft Exchange Servers in March of 2021. When the attacks occurred during that time, they are believed to have affected over 21,000 organizations, targeting unpatched and exploitable on-premise Exchange Servers worldwide – known targets of the threat group at the time being think tanks, defense contractors, non-profits and researchers. Since then, Microsoft has released numerous out-of-band and monthly security patches pertaining to the vulnerabilities, and although there has been other Exchange based vulnerabilities/exploits uncovered and linked to Hafnium during the time (i.e. Proxylogon), no new CVE’s past the first four have been released in relation.
