Tarrask

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Tarrask is a malicious software (malware) that has been utilized by the threat actor group known as "HAFNIUM," also referred to as Silk Typhoon. This state-sponsored group, operating from China, uses Tarrask to establish persistent connections and conceal their malicious activity on infected Windows devices. The malware operates by creating new registry keys and scheduled tasks, a common method for persistence and defense evasion. It further conceals these tasks from traditional means of identification by removing task attributes. In addition, Tarrask employs token theft to obtain security permissions associated with the lsass.exe process, enhancing its ability to infiltrate and manipulate systems. The operation of Tarrask was detected through Microsoft Defender AV, which identified related artifacts in the SecurityAlerts table. Upon creation of a scheduled task, Tarrask generates several artifacts, whether using the Task Scheduler GUI or the schtasks command line utility. Forensic investigation revealed usage of the Impacket tooling for lateral movement and execution, pointing to the sophisticated nature of this malware. Additionally, a specific hash match related to Tarrask malware was identified across various data sources, providing further evidence of its presence and operation. Several files associated with Tarrask have been identified, including winupdate.exe, date.exe, and win.exe among others. These files contribute to the functionality and stealth of the malware, enabling it to infect systems and evade detection. The simplicity of the techniques used by Tarrask, such as scheduled task abuse, underscores the effectiveness of this malware. As such, it's critical for organizations to remain vigilant and employ robust cybersecurity measures to detect and mitigate the threat posed by Tarrask and similar malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
State Sponso...
Vulnerability
Web Shell
Microsoft
Lateral Move...
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Godzilla Web ShellUnspecified
1
The Godzilla Web Shell is a type of malware that has been used by threat actors to exploit vulnerabilities in systems. Malware, or malicious software, is a harmful program designed to infiltrate and damage computers or devices, often without the knowledge of the user. It can enter your system throug
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HAFNIUMUnspecified
1
Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microso
Silk TyphoonUnspecified
1
Silk Typhoon, also known as Hafnium, is a state-sponsored threat actor originating from China. The group first came to prominence in March 2021 when it was linked to the exploitation of Microsoft Exchange Server vulnerabilities. This group has been particularly noted for its use of Exchange PowerShe
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Tarrask Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Hackers Modifying Registry Keys and Establishing Persistence | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Q4 2023 Security Use Cases: Insights From Success Services
MITRE
a year ago
Tarrask malware uses scheduled tasks for defense evasion - Microsoft Security Blog