Microsoft has detected the Tarrask malware, which in all likelihood is the work of Chinese hackers sponsored by that country’s secret service. The malware makes hard-to-detect changes to Windows that initiate operations that automatically update the software.
A Microsoft investigation found that the malware is the work of the hacker group Hafnium, which attacked Exchange Server servers repeatedly last year. Tarrask attacks the Task Scheduler application, which is used to automatically perform many routine tasks, including updating applications.
This is nothing new, as hackers have used the Scheduler application multiple times in the past, and scheduled tasks have become a popular way to hack Windows computers.
Microsoft has previously discovered that Russian hackers from the SolarWinds group have used this very method in recent years to attack their victims and disrupt the supply chain. Despite its simplicity, attacks of this type are difficult to detect and effective.
Tarrask malware generates specific keys that are part of the registry responsible for managing scheduled tasks. And such tasks are executed regardless of whether the user configures them using a graphical interface or the command line.
Microsoft has already produced a document instructing computer users how they can manually browse the registry tree and check whether hackers have created unwanted scheduled tasks on it. It is available here.