Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still

Hafnium, the notorious hacker group that shocked the world with a campaign to destroy Microsoft Exchange servers more than a year ago, is making a comeback that makes Microsoft once again stand still.

But this time, the Redmond company seems to be well prepared when claiming to have information about the hacker group's activities. Microsoft security experts say Hafnium is using a strain of malware called 'Tarrask' to target and repeatedly weaken the defenses of the Windows operating system in general.

Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still Picture 1 Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still Picture 1

Specifically, according to Microsoft's preliminary investigation, the Hafnium team is using Tarrask, a "defence-evasion malware", to bypass Windows' security defenses and ensure compromised environments. Import is still vulnerable. Explaining the issue, the Microsoft Detection and Response Team (DART) said in a blog post:

During high-priority HAFNIUM threat agent monitoring, we discovered that some unpatched Windows zero-day vulnerabilities were abused by hackers as initial attack vectors. Further investigation revealed indications of using the Impacket engine to deploy malicious activity horizontally, and discovered defense-evading malware called Tarrask. It creates 'hidden' scheduled tasks, with actions to clear task attributes, to hide its activity.

Microsoft is actively monitoring Hafnium activities and is aware that this group is abusing a new exploit targeting the Windows subsystem. Malicious actors appear to be exploiting a previously unknown Windows bug to hide malware from "schtasks/query" and Task Scheduler.

The malware evades detection by Windows security tools by deleting the associated Security Descriptor registry value. In simple terms, an unpatched Windows Task Scheduler bug is helping malware wipe its tracks and effectively hide itself from the operating system's active defenses.

Technical terms aside, it's conceivable that Hafnium appears to be using "hidden" scheduled tasks to keep access to compromised devices even after multiple reboots. As with any malware, even Tarrask re-establishes connections with Command-and-Control (C2) infrastructure.

The Microsoft DART team not only issues a warning, but also recommends that users enable logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This will make it easier for system administrators to find suspicious connections from important Tier 0 and Tier 1 assets.