Tarrask

Tarrask is a malicious software (malware) that has been utilized by the threat actor group known as "HAFNIUM," also referred to as Silk Typhoon. This state-sponsored group, operating from China, uses Tarrask to establish persistent connections and conceal their malicious activity on infected Windows devices. The malware operates by creating new registry keys and scheduled tasks, a common method for persistence and defense evasion. It further conceals these tasks from traditional means of identification by removing task attributes. In addition, Tarrask employs token theft to obtain security permissions associated with the lsass.exe process, enhancing its ability to infiltrate and manipulate systems. The operation of Tarrask was detected through Microsoft Defender AV, which identified related artifacts in the SecurityAlerts table. Upon creation of a scheduled task, Tarrask generates several artifacts, whether using the Task Scheduler GUI or the schtasks command line utility. Forensic investigation revealed usage of the Impacket tooling for lateral movement and execution, pointing to the sophisticated nature of this malware. Additionally, a specific hash match related to Tarrask malware was identified across various data sources, providing further evidence of its presence and operation. Several files associated with Tarrask have been identified, including winupdate.exe, date.exe, and win.exe among others. These files contribute to the functionality and stealth of the malware, enabling it to infect systems and evade detection. The simplicity of the techniques used by Tarrask, such as scheduled task abuse, underscores the effectiveness of this malware. As such, it's critical for organizations to remain vigilant and employ robust cybersecurity measures to detect and mitigate the threat posed by Tarrask and similar malware.