Windows is attacked unnoticed by Chinese Tarrask malware

The Windows Task Scheduler is abused by malware to hide itself. This hacking tool called Tarrask uses a previously unknown bug to remove the Security Descriptor registry. As a result, the malicious process is not noticed by the scheduler. This preserves access to hacked devices even after a reboot.

110918 fig5 successful deletion of sd in command prompt

Microsoft writes that in a blog post to create awareness around the attacks. These come from Hafnium, a Chinese government sponsored group that was part of the Microsoft Exchange Meltdonw. The enormous amount of data released in the process would be used by China for ai development. The Tarrask software is used to keep malware-infected systems vulnerable without being noticed. For this, the entire process could also be deleted but then access would be lost after a restart.

110919 fig4 deletion of the security descriptor sd value

The hidden tasks can only be found manually by searching the Windows Registry for tasks without a security descriptor value in the Task Key. In the logs of Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx, the hiding of these tasks may also be noticed. The manufacturer recommends that connections with sensitive data be closely monitored. Furthermore, no definitive solution to the bug is yet offered.

110922 fig1 tarrask malware creates new registry keys along with the creation of new scheduled tasks


We zijn even gesloten.


Beste Klant,

Onze winkel is gesloten van 15/07 t.e.m. 22/07. We zijn terug open vanaf Dinsdag 23/07.

Voor dringende zaken blijven we wel bereikbaar via mail op:

– Het ALLCORE-IT Team –

Inschrijven voor onze nieuwsbrief

* indicates required

Selecteer op welke manier we u mogen contacteren:

U kunt op ieder moment zich uitschrijven op onze emails door op de link te klikken in de voet van onze emails. Voor meer informatie omtrent privacy, bezoek onze website.

Wij gebruiken Mailchimp als ons marketing platform. Door onderaan op inschrijven te klikken stem je toe dat uw emailadres zal worden doorgegeven aan mailchimp om te verwerken. Lees hier meer over Mailchimp's verwerking van privacy data.