October 3, 2023

The Chinese Hafnium hacking group has been found to use a new type of malware that Microsoft discovered a few days ago. Dubbed Tarrask, that remain persistence inside the systems with hidden scheduled tasks

There has been a historical pattern of attacks by the Hafnium threat group targeting diversified entities in US.


Microsoft defines it one of the state-sponsored groups that were linked last year to a massive global attack. The threat actors have exploited the ProxyLogon zero-day flaw affecting every version of Microsoft Exchange supported.

To perform automated tasks on a chosen computer for legitimate administrative purposes, Windows Task Scheduler is a service that enables users to schedule tasks to run on their computer.Its common to use this service by threat actors to maintain their persistence as long as they remain within a Windows environment.

If you use the Task Scheduler GUI or the schtasks command-line utility to create a scheduled task, the Tarrask malware will generate several artifacts from the process

Here below we have mentioned the registry keys that are created upon the creation of a new task:-

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

All the deleted artifacts were also added to the system folder to remove any trace of malicious activity, it would have seemingly removed persistence across restarts since it had been added to the system folder

Indicators of Compromise

  • 54660bd327c9b9d60a5b45cc59477c75b4a8e2266d988da8ed9956bcc95e6795
  • a3baacffb7c74dc43bd4624a6abcd1c311e70a46b40dcc695b180556a9aa3bb2
  • 7e0f350864fb919917914b380da8d9b218139f61ab5e9b28b41ab94c2477b16d

Leave a Reply

%d bloggers like this: