BURSTA sophisticated cyber attack targeting critical national infrastructure in the Middle East has revealed how threat actors are leveraging Windows Task Scheduler to maintain persistent access to compromised systems.
The attack involves a malicious variant of the Havoc framework, a well-known post-exploitation command and control backdoor primarily written in C++ and Go, demonstrating advanced techniques for system infiltration and long-term persistence.
The malware campaign represents a significant escalation in targeting critical infrastructure, with attackers successfully maintaining prolonged access to systems through carefully crafted persistence mechanisms.
The attack vector utilizes a disguised remote injector masquerading as the legitimate Windows Console Host process (conhost.exe), which has been a standard component of Windows operating systems since Windows 7.
.webp)
This strategic deception allows the malware to blend seamlessly with legitimate system processes, significantly reducing the likelihood of detection by security monitoring tools.
Fortinet analysts identified this sophisticated attack during their investigation into the intrusion targeting Middle East critical national infrastructure.
The researchers discovered that attackers had strategically placed multiple malicious components within the system’s Task Scheduler to ensure continuous access even after system reboots or security interventions.
The malware’s persistence strategy demonstrates a deep understanding of Windows system architecture and security mechanisms.
The attack begins with the execution of a malicious file disguised as conhost.exe, launched through Windows Task Scheduler using the command line: C:\Windows\System32\drivers\conhost.exe -f conhost.dll -ER --ln --path cmd.exe.
.webp)
This command structure reveals the sophisticated nature of the attack, where the “-f” parameter specifies the encrypted Havoc payload contained within conhost.dll, while the “–path” parameter designates cmd.exe as the target process for injection.
Injection and Decryption Mechanism
The remote injector employs advanced process injection techniques to deploy the Havoc payload.
Upon execution, it creates a new cmd.exe process using the CreateProcessA() API, establishing a seemingly legitimate process that serves as the host for the malicious payload.
The injector then decrypts the Havoc agent using embedded shellcode within the conhost.dll file, with the decryption key and initialization vector derived from the first 48 bytes of the DLL file.
The injection process utilizes low-level Windows APIs including ZwAllocateVirtualMemory() and ZwWriteVirtualMemory() to inject both the decrypted shellcode and the Havoc executable into the newly created cmd.exe process.
Finally, the malware establishes execution through ZwCreateThreadEx(), creating a remote thread within the target process that executes the injected shellcode, effectively deploying the Havoc backdoor while maintaining the appearance of legitimate system activity.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Threat Actors Embed Malware on Windows System’s Task Scheduler to Maintain Persistence appeared first on Cyber Security News.