Pierluigi Paganini April 22, 2024

Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler service flaw.

Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.

Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.

While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.

The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.

APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.

GooseEgg is usually deployed with a batch script, commonly named execute.bat or doit.bat. This script creates a file named servtask.bat, which includes commands for saving or compressing registry hives. The batch script then executes the GooseEgg executable and establishes persistence by scheduling a tack that runs the servtask.bat.

The GooseEgg binary supports four commands, each with different run paths.

Microsoft researchers noted that an embedded malicious DLL file often contains the phrase “wayzgoose” in its name, such as wayzgoose23.dll. The cybers spies use GooseEgg to drop this embedded DLL file in the context of the PrintSpooler service with SYSTEM permissions.

“wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.” reads the report published by Microsoft.

Microsoft reports include instructions for detecting, hunting, and responding to GooseEgg.

The APT28 group (aka Forest Blizzard, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, APT28)