APT gear: Custom Windows task hiding tool
Cyber attackers, especially persistent ones, use a variety of tools to break into target systems, assure their continuing presence in them and hide their actions, and exfiltrate information from them.
Given the enduring popularity of Microsoft Windows, some of these tools have been used for years and even decades.
Trend Micro researchers have recently spotted Vtask, a custom made tool for hiding Windows tasks in the current session, being used in a targeted attack they were investigating, and an analysis of the code revealed that it has been compiled over twelve years ago.
Written in Visual Basic during a time where decompilers for VB programs were not yet existent, malware analysts had a difficult time analyzing its code. Vtask hides windows of executable programs, but not processes, which can still be seen running in the background via Task Manager.
“This tool is especially useful when the platform of the targeted computer is not a Windows Server version,” the researchers noted and explained: “If the computer runs on platforms other than Windows Server, only one user can be logged at a time. Thus, when the user logs on, the attacker loses the view of the desktop. Vtask is used to automatically hide the ongoing tasks conducted by the attacker.”
Vtask will show how many users are logged on to the affected computer, and what they do on it. It will also show from where the users are logging in, and will automatically hide tasks if the attacker is suddenly disconnected from the affected computer.
“Based on the features of Vtask, this tool was used by attackers during the lateral movement stage in a targeted attack. This is the stage in which attackers seek valuable hosts that house sensitive information within the target network,” the researchers opined. “Moving within the target network requires stealth—which this tool provides by hiding running tasks and alerting attackers to log in attempts.”
The analysis of Vtask also revealed that the attackers might be based in China, as the tool will try to hide IPs coming from an IP address range associated with the country’s Fujian region.
The researchers have provided a hash for the tool so that IT administrators can look for it on the systems they oversee, and have advised them to remove local administrator rights for users, so that attackers have a limited range of action within the network if they compromise a regular user system.