Malware Persistence – Exploiting Windows Task Scheduler for Stealthy Control

A recent investigation by the FortiGuard Incident Response Team (FGIR) has revealed a sophisticated campaign targeting critical national infrastructure (CNI) in the Middle East, where attackers exploited the Windows Task Scheduler to maintain persistent control over compromised systems.

The attackers deployed a variant of the Havoc Remote Access Trojan (RAT), a well-known post-exploitation framework, using a cleverly disguised process injection technique.

According to the report, the adversary added multiple pieces of malware to the Task Scheduler, ensuring that malicious payloads would execute automatically at predefined intervals.

This allowed the attackers to regain access even after system reboots or failed connections. The malware sample analyzed in this campaign leveraged a custom remote injector masquerading as “conhost.exe” (Console Window Host) a legitimate Windows process responsible for handling command-line interfaces.

By mimicking this legitimate process, the malware evaded detection and raised fewer suspicions among security analysts.

Technical Deep Dive: Process Injection and Command & Control

The attack begins with the Task Scheduler launching the rogue “conhost.exe” with specific command-line arguments:

textC:\Windows\System32\drivers\conhost.exe -f conhost.dll -ER --ln --path cmd.exe

Here, “conhost.dll” contains the encrypted Havoc payload, and “cmd.exe” is the target process into which the payload is injected.

Once executed, the remote injector decrypts the Havoc agent (demon) using shellcode embedded in “conhost.dll,” with the decryption key and initialization vector (IV) derived from the first 30H bytes of the DLL.

The injector then allocates memory in the newly created “cmd.exe” process using Windows API calls such as ZwAllocateVirtualMemory() and ZwWriteVirtualMemory(), and injects the decrypted shellcode and Havoc executable.

Finally, it creates a remote thread via ZwCreateThreadEx() to execute the injected code. This technique allows the malware to operate within a legitimate process, making detection and remediation more challenging.

Havoc is a modular RAT written in multiple languages, including Go and C++. Its command and control (C2) server, known as the “teamserver,” communicates with the “demon” agent on the compromised device using HTTP, HTTPS, or SMB protocols.

In this campaign, the C2 server was hardcoded to “apps[.]gist[.]githubapp[.]net,” although it was found to be offline during the investigation.

To analyze the malware’s behavior, researchers set up a simulated C2 server and captured plaintext traffic by switching from HTTPS to HTTP.

Detection and Defense: Fortinet’s Multi-Layered Protection

Fortinet’s analysis highlights the importance of robust endpoint and network security solutions. The company’s AntiVirus, Anti-Botnet, and Web Filtering services are already detecting and blocking this threat.

Specifically, the Anti-Botnet service blocks DNS requests to the malicious C2 domain, while the Web Filtering service rates the domain as “Malicious.”

FortiGuard’s AntiVirus signatures detect the remote injector and encrypted Havoc DLL with identifiers such as “W64/Havoc.d16b!tr” and “Data/Havoc.e5b0!tr.”

Additionally, the Intrusion Prevention System (IPS) identifies Havoc traffic using the signature “Backdoor.Havoc.Agent.”

Organizations are advised to ensure their security solutions are up to date and to educate staff on recognizing phishing and other common attack vectors.

The detailed analysis of the malware’s persistence mechanisms, command structure, and network communication provides valuable insights for threat hunters and incident responders aiming to detect and mitigate similar threats.

Indicators of Compromise (IOCs):

• C2 Server: apps[.]gist[.]githubapp[.]net
• SHA-256 (conhost.exe): 22BD09FBAB54963D4B0234585D33571A47A2DF569DBAB8B40988415AB0A3C37B
• SHA-256 (conhost.dll): 9208034AF160357C99B45564FF54570B1510BAF3BC033999AE4281482617FF5B

By understanding and sharing these technical details, the cybersecurity community can better defend against advanced threats that exploit trusted Windows mechanisms for stealthy, persistent control.