Russia’s APT28 Exploited Windows Print Spooler Flaw to Deploy ‘GooseEgg’ Malware

April 23, 2024WritingNational Security Agency / Threat Intelligence

Windows Print Spooler Fault

Nation-state threat actor linked to Russia is considered APT28 exploited a security flaw in the Microsoft Windows Print Spooler component to distribute a previously unknown custom malware called GooseEgg.

The post-compromise tool, which is believed to have been in use since at least June 2020 and possibly as early as April 2019, exploited a now-patched flaw that allowed privilege escalation (CVE-2022-38028, CVSS score: 7.8).

This issue was fixed by Microsoft as part of updates released in October 2022, with the United States National Security Agency (NSA) credited with reporting the flaw at the time.

According to new findings from the tech giant’s threat intelligence team, APT28 – also called Fancy Bear and Forest Blizzard (formerly Strontium) – used the bug in attacks targeting governments, non-governmental organizations, l education and transport of Ukraine, Western Europe and North America. sector organizations.

Cyber ​​security

“Forest Blizzard used the tool (…) to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM level permissions,” it said. the society.

“Although it is a simple launcher application, GooseEgg is capable of spawning other applications specified on the command line with elevated permissions, allowing malicious actors to take over any subsequent goals such as remote code execution, backdoor installation, and lateral movement across compromised networks. “

Forest Blizzard is reportedly affiliated with Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Active for nearly 15 years, the Kremlin-backed hacking group’s activities are primarily geared toward gathering intelligence in support of the Russian government’s foreign policy initiatives.

In recent months, APT28 hackers have also abused an elevation of privilege flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE -2023-38831, CVSS score: 7.8), indicating their ability to quickly adopt public exploits in their profession.

“Forest Blizzard’s goal in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information,” Microsoft said. “GooseEgg is typically deployed with a batch script.”

The GooseEgg binary supports commands to trigger the exploit and launch either a bundled dynamic link library (DLL) or an executable with elevated permissions. It also checks if the exploit was successfully activated using the whoami command.

Cyber ​​security

This disclosure comes as IBM

  • GammaLoad.VBS, which is a VBS-based backdoor that starts the infection chain
  • GammaStager, which is used to download and execute a series of Base64-encoded VBS payloads
  • GammaLoadPlus, which is used to execute .EXE payloads
  • GammaInstall, which serves as a loader for a known PowerShell backdoor called GammaSteel
  • GammaLoad.PS, a PowerShell implementation of GammaLoad
  • GammaLoadLight.PS, a PowerShell variant that contains code to propagate itself to attached USB devices
  • GammaInfo, a PowerShell-based enumeration script collecting various information from the host
  • GammaSteel, a PowerShell-based malware to exfiltrate a victim’s files based on an allowlist of extensions

“Hive0051 rotates infrastructure via a synchronized DNS feed across multiple channels, including Telegram, Telegraph, and,” IBM X-Force researchers said earlier this month, stating that this “indicates an increase potential of the resources and capacities of the actors devoted to ongoing operations.

“It is highly likely that Hive0051’s consistent implementation of new tools, capabilities and delivery methods will facilitate an accelerated pace of operations. »

Did you find this article interesting ? follow us on Twitter and LinkedIn to read more of the exclusive content we publish.

News Source :
Gn tech

Back to top button