Skip to main content

Microsoft reveals how the Hafnium cybergang is using its malware

A computer screen with program code warning of a detected malware script program
(Image credit: Getty)

Microsoft researchers have been detailing how they think a cybergang is employing a strain of malware (opens in new tab), which can remain hidden in Windows machines that have been compromised.

The Hafnium cyber outfit, with alleged links to China, is creating hidden tasks that retain backdoor access, even if a machine has been rebooted.

Investigations by Microsoft’s Detection and Response Team (DART), along with the Threat Intelligence Center )MTIC), uncovered the latest software weakness. It was found to be producing unwanted scheduled tasks through Windows Task Scheduler.

The malware, nicknamed Tarrask by its investigators, hides behind a process frequently called upon by IT administrators to automate everyday tasks, including the likes of organising file systems and launching some applications.

Microsoft experts think that the recent malware episode forms part of a wider and prolonged multi-stage attack on corporations. This involves the exploitation of an authentication bypass surrounding Zoho’s password-management and single sign-on process called ManageEngine ADSelfService Plus.

Related: Best data recovery software (opens in new tab).

Malware exploits Windows weakness

The security hole has been found to allow the install of the Godzilla webshell, a remote-control backdoor, along with other malware. Microsoft’s researchers have been outlining how they’ve been closely monitoring the movements of the Hafnium cybergang, following the initial discovery back in August of last year.

Evidence of companies being targeted have been documented as occurring right up until February of this year, especially those with Godzilla implants. Telecoms companies, internet service providers (opens in new tab) (ISPs) and data services organizations have all been flagged as being potential victims. 

Subsequent investigations have found evidence of Impacket tools being employed to infiltrate IT environments, alongside the task-scheduling antics being used by Tarrask.

Task-scheduling tools continue to be the focus of threat actors and other malware ploys in systems that have been compromised. The route is popular with hackers and cybercriminals because of their commonality on Windows systems, their easy to use appeal and the way they can be present with users frequently unaware that they’re there.

Microsoft experts have conceded that such job and task schedules have been present in Windows for so long that cybercriminals like the Hafnium gang have been able to develop a comprehensive understanding of the Windows subsystem.

The blog post (opens in new tab) by Microsoft’s researchers, outlines in detail how the process works. It illustrates how threat actors create scheduled tasks and quickly cover their tracks. It also reveals how the malware’s evasion techniques are used to maintain and ensure persistence on systems and, ultimately, how users can protect against this tactic.

How to find the best identity theft companies (opens in new tab).

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.