​Microsoft warns that the Russian APT28 threat group exploits a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.
APT28 has been using this tool to exploit the CVE-2022-38028 vulnerability “since at least June 2020 and possibly as early as April 2019.”
Redmond fixed the vulnerability reported by the U.S. National Security Agency during the Microsoft October 2022 Patch Tuesday but has yet to tag it as actively exploited in its advisory.
The military hackers, part of Military Unit 26165 of Russia’s Main Intelligence Directorate of the General Staff (GRU), use GooseEgg to launch and deploy additional malicious payloads and run various commands with SYSTEM-level privileges.
Microsoft has seen the attackers drop this post-compromise tool as a Windows batch script named ‘execute.bat’ or ‘doit.bat,’ which launches a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches ‘servtask.bat,’ a second batch script written to the disk.
They also use GooseEgg to drop an embedded malicious DLL file (in some cases dubbed ‘wayzgoose23.dll’) in the context of the PrintSpooler service with SYSTEM permissions.
This DLL is actually an app launcher that can execute other payloads with SYSTEM-level permissions and lets attackers deploy backdoors, move laterally through victims’ networks, and run remote code on breached systems.
“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,” Microsoft explains.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”
History of high-profile cyberattacks
APT28, a prominent Russian hacking group, has been responsible for many high-profile cyber attacks since it first surfaced in the mid-2000s.
For instance, one year ago, U.S. and U.K. intelligence services warned about APT28 exploiting a Cisco router zero-day to deploy Jaguar Tooth malware, which allowed it to harvest sensitive information from targets in the U.S. and EU.
More recently, in February, a joint advisory issued by the FBI, the NSA, and international partners warned that APT28 used hacked Ubiquiti EdgeRouters to evade detection in attacks.
They were also linked in the past with the breach of the German Federal Parliament (Deutscher Bundestag) and hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) ahead of the 2016 U.S. Presidential Election.
Two years later, the U.S. charged APT28 members for their involvement in the DNC and DCCC attacks, while the Council of the European Union also sanctioned APT28 members in October 2020 for the German Federal Parliament hack.
