Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations 

Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations.

Russia-linked cyberespionage group APT28 has been observed exploiting Windows Print Spooler vulnerabilities to deploy a custom post-exploitation tool against numerous organizations in the US, Ukraine, and Western Europe, Microsoft reports.

Dubbed GooseEgg, the unique tool is a simple launcher application that can spawn other programs with elevated privileges, providing the attackers with capabilities such as remote code execution, backdoor deployment, and lateral movement.

To deliver GooseEgg, APT28, which Microsoft tracks as Forest Blizzard, has exploited known vulnerabilities such as CVE-2022-38028, CVE-2023-23397, and CVE-2021-34527 and CVE-2021-1675 (known as PrintNightmare).

The attacks, Microsoft says, have targeted government, non-governmental, education, and transportation organizations, to elevate privileges on the compromised systems and steal credentials and data.

GooseEgg is typically deployed alongside a batch script responsible for setting up persistence and invoking the tool’s executable. Its binary takes four commands, to issue a custom return code, trigger an exploit and launch a DLL or an executable with elevated privileges, and to test the exploit and check if it has succeeded.

According to Microsoft, the malware creates registry keys to generate a custom protocol handler and to register a new CLSID that acts as the COM server for it. The C: drive symbolic link is then replaced in the object manager so that it would point to an actor-controlled directory containing driver packages for the Print Spooler service to load.

The malware also patches a function to invoke the rogue protocol and launch an auxiliary DLL in the context of PrintSpooler, with System permissions.

This library is “a basic launcher application capable of spawning other applications specified at the command line with System-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code”, Microsoft explains.

Advertisement. Scroll to continue reading.

The tech giant urges customers to apply the security update for the Print Spooler vulnerability released in 2022, as well as the PrintNightmare vulnerabilities patches released in 2021.

“Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers,” the company notes.

The company also released indicators of compromise (IOCs) associated with the observed attacks, along with additional resources to help organizations hunt for potential GooseEgg infections.

Believed to be linked to the Russian General Staff Main Intelligence Directorate (GRU), APT28 is known for targeting organizations in the US, Europe, and the Middle East for intelligence gathering, in support of Russian government foreign policy initiatives.

Related: FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies

Related: Russian APT Used Zero-Click Outlook Exploit

Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights