• Home
  • About
  • Contact us
Tech News, Magazine & Review WordPress Theme 2017
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
Technovanguard — Be at the forefront of technology news
No Result
View All Result

How to detect the Windows Tarrask Malware that uses a bug to avoid detection

Justin Rowell by Justin Rowell
29.09.2022
Home Software

Microsoft published information about a new malware on its security website on April 12, 2022. The malware, named Tarrask, exploits a bug in Windows’ task scheduling system to evade detection.

windows registry tasks sd value

Tarrask is used by the hacking group Hafnium, which targeted telecommunication, Internet Service Providers and the data services sector in the past.

The group uses zero-day vulnerabilities for its attacks to get into computer systems. Once a system has been attacked successfully, a bug in Windows is used to hide traces of the malware and make detection harder.  Tarrask uses the bug to create scheduled tasks that are hidden to avoid detection and likely also for persistency.

The Windows Task Scheduler is used by the system and by applications to launch tasks, e.g., to check for updates or run maintenance operations. Applications may add tasks to the Task Scheduler, provided that they are executed with sufficient rights to do so. Malware uses tasks often, according to Microsoft, to “maintain persistence within a Windows environment”.

Tasks may be analyzed by launching the Task Scheduler tool on Windows. Tarrask uses a bug to hide its task from the tool and also the command line option “schtasks /query”, which returns a list of scheduled tasks that exist. To avoid detection, Tarrask deletes the Security Descriptor value of the task in the Windows Registry; this results in the task’s disappearance from the Task Scheduler and from the command line tool. In other words: careful inspection of all tasks using either of the tools won’t reveal the malicious tasks.

Detecting Tarrask on Windows systems

The malware does not remove task information entirely, as traces of it are still recorded in the system Registry. Microsoft suspects that the hacking group left the data in the Registry to make the malware persistent, or, that the group was unaware that the task would “continue to run” after removal of the SD component.

Windows administrators may analyze the scheduled task information in the system Registry to find out if a system is infected with the Tarrask malware:

  1. Use the keyboard shortcut Windows-R to display the run box.
  2. Type regedit.exe and hit the Enter-key.
  3. Navigate to the path HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree. You get the list of scheduled tasks that exist on the system.
  4. Go through each task to determine if one is listed without SD value.

If a task without SD value is found, it is a hidden task that is not displayed in the Task Scheduler or the command line utility. The task can’t be deleted normally, as it is running within the context of the SYSTEM user. Attempts to delete the task will fail with an access denied error message.

The last version of Microsoft’s Windows Defender security application detects the malware. Microsoft added a new observation event to Windows Defender that detects hidden tasks; these are flagged as Behavior:Win32/ScheduledTaskHide.A then by the application.

Microsoft recommends that system administrators adopt the following recommendations and security guidelines to detect malware that is using the attack vector:

Enumerate your Windows environment registry hives looking in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.

Modify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to your environment.

Enable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism
Event ID 4698 within the Security.evtx log
Microsoft-Windows-TaskScheduler/Operational.evtx log

The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place.

Now You: which security software do you use?

Thank you for being a Ghacks reader. The post How to detect the Windows Tarrask Malware that uses a bug to avoid detection appeared first on gHacks Technology News.


Next Post
Conti’s Ransomware Toll on the Healthcare Industry

Conti’s Ransomware Toll on the Healthcare Industry

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

A small iPhone settings tweak made me like my selfies better

A small iPhone settings tweak made me like my selfies better

29.09.2022
Netflix’s stop-motion nightmare The House goes to places you really can’t unsee

Netflix’s stop-motion nightmare The House goes to places you really can’t unsee

29.09.2022

Trending.

Netflix’s vampire movie Day Shift adds real bite to a classic action throwback

Netflix’s vampire movie Day Shift adds real bite to a classic action throwback

30.03.2023
Staying Ahead of the Game: The Top 10 Most Popular Websites for IT and Modern Technology

Staying Ahead of the Game: The Top 10 Most Popular Websites for IT and Modern Technology

30.01.2023
Travel Business and Content Marketing: A Match Made in Heaven

Travel Business and Content Marketing: A Match Made in Heaven

07.02.2023
Join MDM for a holiday happy hour in Austin on December 16th

Join MDM for a holiday happy hour in Austin on December 16th

29.09.2022
The creator of Celebrity Deathmatch looks back at the versus show’s weirdest highlights

The creator of Celebrity Deathmatch looks back at the versus show’s weirdest highlights

29.09.2022
Technovanguard — Be at the forefront of technology news

Technovanguard - The latest news from the world of IT and modern technologies.

Categories

  • Computing
  • Entertainment
  • Gaming
  • Internet
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space
  • Без рубрики

Tags

best bitcoin casino best bitcoin gambling site best crypto casino bitcoin gambling site btc casino FEATUREDNEWS linkedin connection message linkedin connection request template linkedin connect message examples linkedin networking message template linkedin sales message top bitcoin casinos

Recent News

Ukrainian Soldier on Prosthesis to Participate in 2023 TCS London Marathon

Ukrainian Soldier on Prosthesis to Participate in 2023 TCS London Marathon

28.03.2023
Talents on AI: Kyiv to Host Three-Day Hackathon Connecting Developers and Sponsors in May 2023

Talents on AI: Kyiv to Host Three-Day Hackathon Connecting Developers and Sponsors in May 2023

07.03.2023
  • Home
  • About
  • Contact us

© 2021 technovanguard.com. Submit news release

No Result
View All Result
  • Computing
  • Entertainment
  • Gaming
  • Mobile
  • Science
  • Security
  • Services
  • Software
  • Space

© 2021 technovanguard.com. Submit news release