Tarrask

Malware updated 6 months ago (2024-05-05T07:17:44.669Z)
Download STIX
Preview STIX
Tarrask is a malicious software (malware) that has been utilized by the threat actor group known as "HAFNIUM," also referred to as Silk Typhoon. This state-sponsored group, operating from China, uses Tarrask to establish persistent connections and conceal their malicious activity on infected Windows devices. The malware operates by creating new registry keys and scheduled tasks, a common method for persistence and defense evasion. It further conceals these tasks from traditional means of identification by removing task attributes. In addition, Tarrask employs token theft to obtain security permissions associated with the lsass.exe process, enhancing its ability to infiltrate and manipulate systems. The operation of Tarrask was detected through Microsoft Defender AV, which identified related artifacts in the SecurityAlerts table. Upon creation of a scheduled task, Tarrask generates several artifacts, whether using the Task Scheduler GUI or the schtasks command line utility. Forensic investigation revealed usage of the Impacket tooling for lateral movement and execution, pointing to the sophisticated nature of this malware. Additionally, a specific hash match related to Tarrask malware was identified across various data sources, providing further evidence of its presence and operation. Several files associated with Tarrask have been identified, including winupdate.exe, date.exe, and win.exe among others. These files contribute to the functionality and stealth of the malware, enabling it to infect systems and evade detection. The simplicity of the techniques used by Tarrask, such as scheduled task abuse, underscores the effectiveness of this malware. As such, it's critical for organizations to remain vigilant and employ robust cybersecurity measures to detect and mitigate the threat posed by Tarrask and similar malware.
Description last updated: 2024-05-05T06:30:05.171Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Tarrask Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more