Microsoft details how China-linked crew’s malware hides scheduled Windows tasks


The China-linked Hafnium cyber-gang is using a strain of malware to maintain a persistent presence in compromised Windows systems by creating hidden tasks that maintain backdoor access even after reboots.

Researchers within Microsoft’s Detection and Response Team (DART) and Threat Intelligence Center (MTIC) spotted the software nasty, dubbed Tarrask, creating undesirable scheduled tasks via Windows Task Scheduler, which is typically used by IT administrators to automate such chores as updating programs, tidying up file systems, and starting certain applications.

The malware is part of a larger multi-stage attack against organizations that exploits an authentication bypass in the snappily named ManageEngine ADSelfService Plus, Zoho’s password-management and single-sign-on offering for Active Directory environments; this bypass vulnerability is tracked as CVE-2021-40539. The Unit42 group at Palo Alto Networks in November wrote about this security hole and how it was being exploited by miscreants to install remote-control backdoors – namely, the Godzilla webshell – and other malware in networks.

Read more…