If you suspect an active attack on your buisness, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

HAFNIUM Tarrask Malware

Home » Blog » Cyber Threat » HAFNIUM Tarrask Malware
blog photos (23)

What is the Tarrask Malware?

The Tarrask malware utilizes Windows scheduled tasks to maintain persistence on compromised hosts. An admin can profile the usage of the Task Scheduler GUI or schtasks command line utility to aid investigators in tracking this persistence mechanism. The following registry keys are created upon creation of a new task:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID}

Subkeys created within the Tree path match the names of the scheduled task, and the values within it (Id, Index, and SD) contain metadata for the task registration within the system. The second subkey, created within Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.

Similar information is also stored within an extensionless XML file created within C:\Windows\System32\Tasks, where the name of the file matches the name of the task. Within this file under the “Actions” value the command to be executed can be found. This will also match the “Actions” value stored in the Tasks{GUID} key.

There are two Windows event logs that record actions related to the creation and operation of Scheduled Tasks. Event ID 4698 within the Security.evtx log, and the Microsoft-Windows-TaskScheduler/Operational.evtx log. Neither of these are audited by default and must be explicitly turned on by an administrator.

In a forensic case, Microsoft found that the scheduled task named WinUpdate was created by the HackTool:W64/Tarrask. This task was used to re-establish any dropped connections to the command and control infrastructure of the threat actor. This task creation creates all the values listed above, but the threat actor removes the SD value within the Tree registry path. The SD value refers to the Security Descriptor, which determines the users allowed to run the task. Removing this value results in the command “schtasks /query” and the Task Schedule GUI from being able to see the scheduled task. Effectively hiding the task from the systems built in task scheduler tools. To view the hidden task an examiner must manually inspect the aforementioned registry paths.

Normally, removing the SD value wouldn’t be possible even when running “reg delete” from an elevated command prompt. Deletion must occur within the context of the SYSTEM user. It is for this reason that the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process. Upon execution of the token theft, the malware could operate with the same privileges as LSASS, making the deletion possible.

Another technique to hide the scheduled task is to completely remove the two registry keys within Tree and Tasks, and the XML file created within C:\Windows\System32\Tasks. This would remove the on-disk artifacts associated with the scheduled task, but the task would continue to run based on the defined triggers until the system is rebooted, or until the associated svchost.exe process responsible for executing the task was terminated.

The HAFNIUM threat actor displays a through understanding of the Windows subsystem and uses this expertise to mask activities on targted endpoints to maintain persistence on affected systems and hide in plain site.

Who is Affected?

All Windows based devices can be affected by this type of subsystem usage. The malware is critical because it could allow a threat actor to hide in plain site on a compromised host making investigation of the threat very difficult. To mitigate or detect these techniques the following recommendations and guidelines from Microsoft can be followed (https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/)