Microsoft recently disclosed that the Russian threat group “APT28″ used a previously unknown hacking tool, “GooseEgg” to exploit the Windows Print Spooler vulnerability to gain elevated access to target systems and steal credentials and information.
According to the Redmond giant’s threat intelligence team, APT28, also called Fancy Bear and Forest Blizzard (formerly Strontium), has been using the post-compromise tool since at least June 2020 and possibly as early as April 2019 to exploit the CVE-2022-38028 (CVSS score: 7.8) vulnerability in Windows Print Spooler service.
This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions.
Although the company addressed the vulnerability, CVE-2022-38028, reported by the U.S. National Security Agency (NSA) as part of Microsoft’s October 2022 Patch Tuesday security updates, it made no mention of the flaw in its advisory.
Microsoft has observed APT28 using GooseEgg as part of post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.
While GooseEgg is a simple launcher application, it can spawn other applications at the command line with elevated permissions.
This allows threat actors to support malicious activities such as remote code execution, installing a backdoor, and moving laterally through compromised networks.
The U.S. and UK governments have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
“Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat,” reads the advisory published by Microsoft on Monday.
Microsoft researchers noted that an embedded malicious DLL file typically, which includes the phrase “wayzgoose”; for example, wayzgoose23.dll, is a launcher application used by threat actors to launch other payloads with SYSTEM-level permissions, and install a backdoor, move laterally through the victim’s network, and remotely execute code on breached systems.
As mentioned earlier, the company patched the Print Spooler security flaw in 2022. It also patched the previously exploited PrintNightmare vulnerabilities in 2021.
“Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security,” Microsoft said in its advisory.
Additionally, the company also recommends disabling the Print Spooler service on domain controllers where it isn’t required for domain controller operations.
