Over a Decade and Still Running: Targeted Attack Tool Hides Windows Tasks
Our engineers were investigating a case involving a targeted attack when they came across a custom tool called vtask.exe. Once executed, vtask.exe hides Windows tasks in the current session. What’s curious about this attacker-created tool is that it appears to have been compiled in 2002—twelve years ago.
A Look at Vtask
The compiler time shows that Vtask is a tool written in Visual Basic (VB) and compiled on November 2002. We can image the situation 12 years ago: Decompilers for VB programs were not available yet, which made analysis of this tool difficult.
Vtask.exe requires an .OCX component generated by the old VB compiler. In this case, the required .OCX component is mshflxgd.ocx. A compiler is not necessary but the .OCX file is in order for Vtask to run. It bears stressing that mshflxgd.ocx is a common library. Other software may use it as well. The presence of this component doesn’t automatically mean the computer also has Vtask.
Vtask is not a rootkit, so it can only hide windows of executables, not processes. We can still see the processes running in the background via Task Manager.
Hiding Running Tasks
Vtask is used to hide windows of executable programs. This tool is especially useful when the platform of the targeted computer is not a Windows Server version. Windows Server allows multiple users to log in, with each login having a different version of the desktop, even if they use the same login credentials.
If the targeted computer runs on Windows Server, the users will not be able to see the desktop of the attacker.
Figure 1. Desktop before Vtask is launched
Figure 2. Desktop after Vtask has launched
However, if the computer runs on platforms other than Windows Server, only one user can be logged at a time. Thus, when the user logs on, the attacker loses the view of the desktop. Vtask is used to automatically hide the ongoing tasks conducted by the attacker.
The main window of Vtask will show how many users are logged on to the affected computer, plus a filtered process monitor to show important details and activity.
For example, the screenshot on the left below shows that we come from a specific IP address by Remote Desktop Protocol (RDP) via Port 3389. The right screenshot shows that no one is using the console, because the screen saver is executing. We can also see the settings that show some features. For example, the AutoNotice function will make the main window flash once when someone is trying to log in.
Figure 3. Main window of Vtask
Based on the features of Vtask, this tool was used by attackers during the lateral movement stage in a targeted attack. This is the stage in which attackers seek valuable hosts that house sensitive information within the target network. Moving within the target network requires stealth—which this tool provides by hiding running tasks and alerting attackers to log in attempts.
Vtask Running on RDP
The “Help” button located on the top left side of the main window does not actually offer assistance. If clicked, it will instead hide all tasks, even those in the taskbar. Vtask will also automatically hide tasks if the attacker is suddenly disconnected from the affected computer due to network issues or login issues. Once the attacker is able to log in again, they can use hot keys (CTRL+ALT+ SHIFT+F10 ) to call the tasks back from the background to the foreground.
Vtask Running on Console
When you execute vtask.exe in the console, it will hide all tasks after three seconds because there is only one console in one computer. But how can a remote hacker “connect” to a victim’s console? RDP had just been introduced to Windows then and several Virtual Network Computing (VNC) software were also introduced at the time. The attacker may have also used software like Radmin to use the console. If a legitimate user account creates any process after Vtask has been executed in console, Vtask will automatically and immediately delete all hidden tasks.
Hiding Specific IP Addresses
The most interesting part is that Vtask will try to hide IPs coming from a specific IP range, 61.154.x.x, which implies that this is a possible source of attacks. The IP address range traces back to the Fujian region in China.
Organizations and businesses can employ several security measures to protect themselves from tools used targeted attacks. This includes the use of application control, security and information event management (SIEM), and adapting a custom defense solution.
Organizations should also remove local administrator rights for users. Not having administrator rights can help limit what users (and potential attackers) can do within the network. IT administrators can also utilize indicators of compromise (IoCs) to locate for file names or MD5/SHA hashes for applications. In this case, the hash for Vtask is 2a73211747209b7a98a7e53c0ffe2b589782811b.
IT administrators can also refer to two entries that talk at length about identifying such tools: