• Home
  • About
  • Contact us
  • Submit a News Releases
Tech News, Magazine & Review WordPress Theme 2017
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
Technovanguard — Be at the forefront of technology news
No Result
View All Result

How to detect the Windows Tarrask Malware that uses a bug to avoid detection

Justin Rowell by Justin Rowell
19.04.2022
Home Software

Microsoft published information about a new malware on its security website on April 12, 2022. The malware, named Tarrask, exploits a bug in Windows’ task scheduling system to evade detection.

windows registry tasks sd value

Tarrask is used by the hacking group Hafnium, which targeted telecommunication, Internet Service Providers and the data services sector in the past.

The group uses zero-day vulnerabilities for its attacks to get into computer systems. Once a system has been attacked successfully, a bug in Windows is used to hide traces of the malware and make detection harder.  Tarrask uses the bug to create scheduled tasks that are hidden to avoid detection and likely also for persistency.

The Windows Task Scheduler is used by the system and by applications to launch tasks, e.g., to check for updates or run maintenance operations. Applications may add tasks to the Task Scheduler, provided that they are executed with sufficient rights to do so. Malware uses tasks often, according to Microsoft, to “maintain persistence within a Windows environment”.

Tasks may be analyzed by launching the Task Scheduler tool on Windows. Tarrask uses a bug to hide its task from the tool and also the command line option “schtasks /query”, which returns a list of scheduled tasks that exist. To avoid detection, Tarrask deletes the Security Descriptor value of the task in the Windows Registry; this results in the task’s disappearance from the Task Scheduler and from the command line tool. In other words: careful inspection of all tasks using either of the tools won’t reveal the malicious tasks.

Detecting Tarrask on Windows systems

The malware does not remove task information entirely, as traces of it are still recorded in the system Registry. Microsoft suspects that the hacking group left the data in the Registry to make the malware persistent, or, that the group was unaware that the task would “continue to run” after removal of the SD component.

Windows administrators may analyze the scheduled task information in the system Registry to find out if a system is infected with the Tarrask malware:

  1. Use the keyboard shortcut Windows-R to display the run box.
  2. Type regedit.exe and hit the Enter-key.
  3. Navigate to the path HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree. You get the list of scheduled tasks that exist on the system.
  4. Go through each task to determine if one is listed without SD value.

If a task without SD value is found, it is a hidden task that is not displayed in the Task Scheduler or the command line utility. The task can’t be deleted normally, as it is running within the context of the SYSTEM user. Attempts to delete the task will fail with an access denied error message.

The last version of Microsoft’s Windows Defender security application detects the malware. Microsoft added a new observation event to Windows Defender that detects hidden tasks; these are flagged as Behavior:Win32/ScheduledTaskHide.A then by the application.

Microsoft recommends that system administrators adopt the following recommendations and security guidelines to detect malware that is using the attack vector:

Enumerate your Windows environment registry hives looking in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.

Modify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to your environment.

Enable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism
Event ID 4698 within the Security.evtx log
Microsoft-Windows-TaskScheduler/Operational.evtx log

The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place.

Now You: which security software do you use?

Thank you for being a Ghacks reader. The post How to detect the Windows Tarrask Malware that uses a bug to avoid detection appeared first on gHacks Technology News.


Next Post
Conti’s Ransomware Toll on the Healthcare Industry

Conti’s Ransomware Toll on the Healthcare Industry

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

Dust in the Wind, Dirt Under Our Feet, and Dunes of Another World

Dust in the Wind, Dirt Under Our Feet, and Dunes of Another World

26.03.2022
Newly discovered isotope is a record breaker

Newly discovered isotope is a record breaker

11.01.2022

Trending.

LANL Publishes Guide to Quantum Computer Programming

LANL Publishes Guide to Quantum Computer Programming

15.06.2022
A Global Ocean Biogeochemical Observatory Becomes a Reality

A Global Ocean Biogeochemical Observatory Becomes a Reality

21.03.2022
7 Essentials You Need to Complete Your Twitch Streaming Setup

7 Essentials You Need to Complete Your Twitch Streaming Setup

15.12.2021
XT-ZB1 DevKit : un module Zigbee et Bluetooth RISC-V à 2€

XT-ZB1 DevKit : un module Zigbee et Bluetooth RISC-V à 2€

27.12.2021
Pokemon Brilliant Diamond and Shining Pearl: All version-exclusive Pokemon and differences

Pokemon Brilliant Diamond and Shining Pearl: All version-exclusive Pokemon and differences

15.12.2021
Technovanguard — Be at the forefront of technology news

Technovanguard - The latest news from the world of IT and modern technologies.

Categories

  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
  • Без рубрики

Tags

FEATUREDNEWS

Recent News

Russia threatens Apple with fine over alleged data storage violations

Russia threatens Apple with fine over alleged data storage violations

29.06.2022
Apple’s next-gen iPad mini unlikely to sport 120Hz ProMotion display

Apple’s next-gen iPad mini unlikely to sport 120Hz ProMotion display

29.06.2022
  • Home
  • About
  • Contact us
  • Submit a News Releases

© 2021 technovanguard.com.

No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space

© 2021 technovanguard.com.