Microsoft has issued a warning regarding the Russian APT28 threat group, revealing that the group is exploiting a vulnerability in Windows Print Spooler to escalate privileges and steal credentials using a newly identified hacking tool dubbed GooseEgg. This tool specifically targets the CVE-2022-38028 vulnerability, which was reported by the U.S. National Security Agency and subsequently patched by Microsoft during its October 2022 Patch Tuesday. However, Microsoft had not previously flagged this vulnerability as actively exploited.
APT28, which operates under the umbrella of Military Unit 26165 of Russia's GRU, employs GooseEgg to deploy additional malicious tools and execute commands with SYSTEM-level privileges. The tool is distributed via Windows batch scripts named 'execute.bat' or 'doit.bat,' initiating a GooseEgg executable that ensures persistence by creating a scheduled task named 'servtask.bat.'
Moreover, GooseEgg utilizes an embedded malicious DLL, occasionally referred to as 'wayzgoose23.dll,' to further manipulate the compromised system. This DLL, functioning as an app launcher within the PrintSpooler service with SYSTEM permissions, facilitates the execution of other payloads, allowing the attackers to install backdoors, navigate laterally across victim networks, and execute remote code.
"Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations," stated Microsoft. "While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks."
APT28, also known as Fancy Bear, has been implicated in numerous high-profile cyberattacks since it first came to prominence in the mid-2000s. Notable past activities include exploiting a zero-day in Cisco routers last year to deploy Jaguar Tooth malware, using compromised Ubiquiti EdgeRouters to avoid detection in recent attacks, and breaches involving the German Federal Parliament and major U.S. political organizations ahead of the 2016 U.S. Presidential Election.