GooseEgg: APT28’s Secret Weapon Exploiting Critical Windows Print Spooler Flaw
Microsoft has disclosed that the Russia-linked APT28 group, also known as “Forest Blizzard,” “Fancybear,” or “Strontium,” has leveraged a previously undisclosed tool named GooseEgg to exploit a critical vulnerability in the Windows Print Spooler service, specifically CVE-2022-38028.
According to Microsoft’s findings, APT28 has been utilizing GooseEgg since at least June 2020 to capitalize on the CVE-2022-38028 flaw. This tool functions by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. APT28 has employed GooseEgg in post-compromise activities targeting various sectors, including government entities, non-governmental organizations, educational institutions, and transportation sectors across Ukraine, Western Europe, and North America.
Despite its simplistic nature as a launcher application, GooseEgg enables threat actors to execute specified applications with elevated permissions, facilitating malicious activities such as remote code execution, backdoor installation, and lateral movement within compromised networks.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The CVE-2022-38028 vulnerability was first flagged by the U.S. National Security Agency, and Microsoft addressed it through its October 2022 Patch Tuesday security updates. APT28 has utilized GooseEgg to gain elevated access to compromised systems, enabling the theft of credentials and sensitive data.
Typically, GooseEgg is deployed alongside a batch script, commonly named execute.bat or doit.bat, which creates a file named servtask.bat containing commands for saving or compressing registry hives. Subsequently, the batch script executes the GooseEgg executable and establishes persistence by scheduling a task to run servtask.bat.
The GooseEgg binary supports four distinct commands, each with unique execution paths. Microsoft researchers have identified an embedded malicious DLL file often named with the phrase “wayzgoose,” such as wayzgoose23.dll. APT28 utilizes GooseEgg to drop this embedded DLL file within the context of the PrintSpooler service, operating with SYSTEM permissions.
Trending: Offensive Security Tool: 403jump
According to Microsoft’s report, “wayzgoose.dll” functions as a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, empowering threat actors to conduct various malicious activities, including backdoor installation, lateral movement, and remote code execution.
Microsoft’s detailed report includes comprehensive instructions for detecting, hunting, and responding to GooseEgg-related activities.
The APT28 group, operating under various aliases including Forest Blizzard, Fancy Bear, and Pawn Storm, has been active since at least 2007, targeting governments, militaries, security organizations, and other high-profile entities worldwide. APT28 gained notoriety for its involvement in cyber campaigns surrounding the 2016 Presidential election and is believed to operate within military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: securityaffairs.com
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
