On April 12, 2022, Microsoft published information about a new malware called Tarrask. The threat uses the Windows Scheduler bug to avoid detection.
Tarrask is used by the Hafnium hacker group, which has targeted telcos, ISPs, and the data services sector in the past.
For its attacks, the group uses zero-day vulnerabilities to penetrate computer systems. After a successful attack on Windows devices, a system bug is used to hide traces of malware and make it harder to detect. Tarrask uses the bug to create hidden scheduled tasks to avoid detection and log into the system permanently.
The system and applications use the Windows Task Scheduler to run periodic tasks, such as checking for updates or performing maintenance operations. Applications can add jobs to the Task Scheduler, provided they run with sufficient permissions. According to Microsoft, malware often uses tasks to “maintain resilience in a Windows environment.”
The user can analyze the tasks by running the task scheduler. However, Tarrask uses a scheduler bug to hide its mission from the tool and the schtasks /query console command, which returns a list of existing scheduled tasks. To avoid detection, Tarrask removes the study’s Security Descriptor (SD) value from the Windows registry, causing the job to disappear from the task scheduler and the command-line tool. In other words: a thorough scan of all tasks using any of the devices will not reveal malicious schemes.
How to Detect Tarrask on Windows Systems
The malware does not entirely remove information about the task, and its traces can still be found in the system registry. Microsoft suspects that the hacker group left data in the registry to make the malware permanent. The cybercriminals did not know that the task would “continue to run” after the SD component was removed.
Windows administrators can analyze scheduled task information in the system registry to find out if the system is infected with Tarrask malware:
- Use the keyboard shortcut Windows + R to display the Run window.
- Type regedit.exe and press the Enter key.
- Follow the path
- A list of scheduled tasks that exist in the system will be displayed.
- Review each task to determine if it is listed without an SD value.
If a job without an SD value is found, it is a hidden job that does not appear in the Task Scheduler or command-line utility. The task cannot be deleted normally because it runs under the context of the SYSTEM user. Attempts to delete the job will fail with an access denied error.
The latest version of the Microsoft Defender Security App detects malware. Microsoft has added a new watch event to Windows Defender that sees hidden tasks marked as Behavior: Win32/ScheduledTaskHide.A by the application.
Microsoft recommends that administrators adopt the following security best practices to detect malware using this attack vector:
- View the registry key
- and try to find jobs without an SD (Security Descriptor) value. Review these tasks as needed.
- Modify your audit policy to identify scheduled task activities by enabling “TaskOperational” logging in Microsoft-Windows-TaskScheduler/Operational. Apply the recommended audit policy settings that are appropriate for your environment.
- Enable and analyze the following Task Scheduler logs. Even if tasks are “hidden,” these logs keep track of critical events that may lead you to discover a well-hidden persistence mechanism.
Event ID 4698 in Security.evtx log
- The attackers in this campaign used hidden scheduled tasks to maintain access to critical components by regularly reestablishing outbound links to the C&C infrastructure. Stay vigilant and monitor unusual outbound behavior by monitoring and alerting these connections from these critical Tier 0 and Tier 1 resources.
Other malware can also take advantage of this scheduler error to avoid detection.