Microsoft warns that Russian threat group APT28 is exploiting a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.
APT28 has been using this tool to exploit the CVE-2022-38028 vulnerability “since at least June 2020 and possibly as early as April 2019”.
Redmond fixed the vulnerability reported by the US National Security Agency during Microsoft’s October 2022 Patch Tuesday, but has not yet identified it as actively exploited in its advisory.
Military hackers, part of military unit 26165 of the Main Intelligence Directorate of the Russian General Staff (GRU), use GooseEgg to launch and deploy additional malicious payloads and execute various commands with level privileges SYSTEM.
Microsoft has seen attackers drop this tool post-compromise as a Windows batch script named “execute.bat” or “doi.bat”, which launches a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches “servtask”. .bat’, a second batch script written to disk.
They also use GooseEgg to remove an embedded malicious DLL file (in some cases dubbed “wayzgoose23.dll”) in the context of the PrintSpooler service with SYSTEM permissions.
This DLL is actually an application launcher that can execute other payloads with SYSTEM-level permissions and allows attackers to deploy backdoors, move laterally through victims’ networks, and execute malware. remote code on hacked systems.
“Microsoft observed Forest Blizzard using GooseEgg in post-compromise activities against targets including Ukrainian, Western European and North American government organizations, non-governmental organizations, education and transportation,” Microsoft explains.
“Although it is a simple launcher application, GooseEgg is capable of spawning other applications specified on the command line with elevated permissions, allowing malicious actors to take over any subsequent goals such as remote code execution, backdoor installation, and lateral movement across compromised networks. “
History of high-profile cyberattacks
APT28, a major Russian hacker group, has been responsible for numerous high-profile cyberattacks since they emerged in the mid-2000s.
For example, a year ago, US and UK intelligence services warned of APT28’s exploitation of a Cisco Zero Day router to deploy Jaguar Tooth malware, allowing it to harvest information sensitive to targets in the United States and the EU.
Most recently, in February, a joint advisory issued by the FBI, NSA and international partners warned that APT28 was using hacked Ubiquiti EdgeRouters to evade detection during attacks.
They have also been linked in the past to the breach of the German Federal Parliament (Deutscher Bundestag) and hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) before the 2016 US presidential election.
Two years later, the United States indicted APT28 members for their involvement in the DNC and DCCC attacks, while the Council of the European Union also sanctioned APT28 members in October 2020 for hacking the German Federal Parliament.
Microsoft warns that Russian threat group APT28 is exploiting a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.
APT28 has been using this tool to exploit the CVE-2022-38028 vulnerability “since at least June 2020 and possibly as early as April 2019”.
Redmond fixed the vulnerability reported by the US National Security Agency during Microsoft’s October 2022 Patch Tuesday, but has not yet identified it as actively exploited in its advisory.
Military hackers, part of military unit 26165 of the Main Intelligence Directorate of the Russian General Staff (GRU), use GooseEgg to launch and deploy additional malicious payloads and execute various commands with level privileges SYSTEM.
Microsoft has seen attackers drop this tool post-compromise as a Windows batch script named “execute.bat” or “doi.bat”, which launches a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches “servtask”. .bat’, a second batch script written to disk.
They also use GooseEgg to remove an embedded malicious DLL file (in some cases dubbed “wayzgoose23.dll”) in the context of the PrintSpooler service with SYSTEM permissions.
This DLL is actually an application launcher that can execute other payloads with SYSTEM-level permissions and allows attackers to deploy backdoors, move laterally through victims’ networks, and execute malware. remote code on hacked systems.
“Microsoft observed Forest Blizzard using GooseEgg in post-compromise activities against targets including Ukrainian, Western European and North American government organizations, non-governmental organizations, education and transportation,” Microsoft explains.
“Although it is a simple launcher application, GooseEgg is capable of spawning other applications specified on the command line with elevated permissions, allowing malicious actors to take over any subsequent goals such as remote code execution, backdoor installation, and lateral movement across compromised networks. “
History of high-profile cyberattacks
APT28, a major Russian hacker group, has been responsible for numerous high-profile cyberattacks since they emerged in the mid-2000s.
For example, a year ago, US and UK intelligence services warned of APT28’s exploitation of a Cisco Zero Day router to deploy Jaguar Tooth malware, allowing it to harvest information sensitive to targets in the United States and the EU.
Most recently, in February, a joint advisory issued by the FBI, NSA and international partners warned that APT28 was using hacked Ubiquiti EdgeRouters to evade detection during attacks.
They have also been linked in the past to the breach of the German Federal Parliament (Deutscher Bundestag) and hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) before the 2016 US presidential election.
Two years later, the United States indicted APT28 members for their involvement in the DNC and DCCC attacks, while the Council of the European Union also sanctioned APT28 members in October 2020 for hacking the German Federal Parliament.