Microsoft warns that Russian threat group APT28 is exploiting a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.
APT28 designed this tool to target the CVE-2022-38028 vulnerability reported by the US National Security Agency, which Redmond patched in Microsoft’s October 2022 Patch Tuesday (Redmond has not yet actively identified it used in his opinion).
Military hackers, who are part of military unit 26165 of the Main Intelligence Directorate of the General Staff (GRU), use the tool to launch additional malicious tools and execute various commands with SYSTEM level privileges .
Attackers deploy this post-compromise tool as a Windows batch script named “execute.bat” or “ought.bat”, which launches a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches “servtask.bat”. a second batch script written to disk.
They also use GooseEgg to remove an embedded malicious DLL file (in some cases dubbed “wayzgoose23.dll”) in the context of the PrintSpooler service with SYSTEM permissions.
This DLL is actually an application launcher that can execute other payloads with SYSTEM-level permissions and allows attackers to deploy backdoors, move laterally through victims’ networks, and execute malware. remote code on hacked systems.
“Microsoft observed Forest Blizzard using GooseEgg in post-compromise activities against targets including Ukrainian, Western European and North American government organizations, non-governmental organizations, education and transportation,” Microsoft explains.
“Although it is a simple launcher application, GooseEgg is capable of spawning other applications specified on the command line with elevated permissions, allowing malicious actors to take over any subsequent goals such as remote code execution, backdoor installation, and lateral movement across compromised networks. “
History of high-profile cyberattacks
APT28 is a prominent Russian hacker group responsible for numerous high-profile cyberattacks since their emergence in the mid-2000s.
Last year, US and UK intelligence services warned that APT28 exploited a Cisco zero-day router to deploy Jaguar Tooth malware, allowing it to harvest sensitive information from targets in the United States and the EU.
Most recently, in February, a joint advisory issued by the FBI, NSA and international partners warned that APT28 was using hacked Ubiquiti EdgeRouters to evade detection during attacks.
They have also been linked in the past to the breach of the German Federal Parliament (Deutscher Bundestag) and hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) before the 2016 US presidential election.
Two years later, the United States indicted APT28 members for their involvement in the DNC and DCCC attacks, while the Council of the European Union also sanctioned APT28 members in October 2020 for hacking the German Federal Parliament.
Microsoft warns that Russian threat group APT28 is exploiting a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.
APT28 designed this tool to target the CVE-2022-38028 vulnerability reported by the US National Security Agency, which Redmond patched in Microsoft’s October 2022 Patch Tuesday (Redmond has not yet actively identified it used in his opinion).
Military hackers, who are part of military unit 26165 of the Main Intelligence Directorate of the General Staff (GRU), use the tool to launch additional malicious tools and execute various commands with SYSTEM level privileges .
Attackers deploy this post-compromise tool as a Windows batch script named “execute.bat” or “ought.bat”, which launches a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches “servtask.bat”. a second batch script written to disk.
They also use GooseEgg to remove an embedded malicious DLL file (in some cases dubbed “wayzgoose23.dll”) in the context of the PrintSpooler service with SYSTEM permissions.
This DLL is actually an application launcher that can execute other payloads with SYSTEM-level permissions and allows attackers to deploy backdoors, move laterally through victims’ networks, and execute malware. remote code on hacked systems.
“Microsoft observed Forest Blizzard using GooseEgg in post-compromise activities against targets including Ukrainian, Western European and North American government organizations, non-governmental organizations, education and transportation,” Microsoft explains.
“Although it is a simple launcher application, GooseEgg is capable of spawning other applications specified on the command line with elevated permissions, allowing malicious actors to take over any subsequent goals such as remote code execution, backdoor installation, and lateral movement across compromised networks. “
History of high-profile cyberattacks
APT28 is a prominent Russian hacker group responsible for numerous high-profile cyberattacks since their emergence in the mid-2000s.
Last year, US and UK intelligence services warned that APT28 exploited a Cisco zero-day router to deploy Jaguar Tooth malware, allowing it to harvest sensitive information from targets in the United States and the EU.
Most recently, in February, a joint advisory issued by the FBI, NSA and international partners warned that APT28 was using hacked Ubiquiti EdgeRouters to evade detection during attacks.
They have also been linked in the past to the breach of the German Federal Parliament (Deutscher Bundestag) and hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) before the 2016 US presidential election.
Two years later, the United States indicted APT28 members for their involvement in the DNC and DCCC attacks, while the Council of the European Union also sanctioned APT28 members in October 2020 for hacking the German Federal Parliament.