Russia-linked cyberespionage group APT28 has been observed exploiting Windows Print Spooler vulnerabilities to deploy a custom post-exploitation tool against numerous organizations in the US, Ukraine, and Western Europe, Microsoft reports.
Dubbed GooseEgg, the unique tool is a simple launcher application that can spawn other programs with elevated privileges, providing the attackers with capabilities such as remote code execution, backdoor deployment, and lateral movement.
To deliver GooseEgg, APT28, which Microsoft tracks as Forest Blizzard, has exploited known vulnerabilities such as CVE-2022-38028, CVE-2023-23397, and CVE-2021-34527 and CVE-2021-1675 (known as PrintNightmare).
The attacks, Microsoft says, have targeted government, non-governmental, education, and transportation organizations, to elevate privileges on the compromised systems and steal credentials and data.
GooseEgg is typically deployed alongside a batch script responsible for setting up persistence and invoking the tool’s executable. Its binary takes four commands, to issue a custom return code, trigger an exploit and launch a DLL or an executable with elevated privileges, and to test the exploit and check if it has succeeded.
According to Microsoft, the malware creates registry keys to generate a custom protocol handler and to register a new CLSID that acts as the COM server for it. The C: drive symbolic link is then replaced in the object manager so that it would point to an actor-controlled directory containing driver packages for the Print Spooler service to load.
The malware also patches a function to invoke the rogue protocol and launch an auxiliary DLL in the context of PrintSpooler, with System permissions.
This library is “a basic launcher application capable of spawning other applications specified at the command line with System-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code”, Microsoft explains.
The tech giant urges customers to apply the security update for the Print Spooler vulnerability released in 2022, as well as the PrintNightmare vulnerabilities patches released in 2021.
“Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers,” the company notes.
The company also released indicators of compromise (IOCs) associated with the observed attacks, along with additional resources to help organizations hunt for potential GooseEgg infections.
Believed to be linked to the Russian General Staff Main Intelligence Directorate (GRU), APT28 is known for targeting organizations in the US, Europe, and the Middle East for intelligence gathering, in support of Russian government foreign policy initiatives.
*Per Malpedia, APT28 is also known as APT-C-20, ATK5, Blue Athena, Fancy Bear, FrozenLake, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, Iron Twilight, Pawn Storm, SIG40, SnakeMackerel, Strontium, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, and UAC-0028.
Related: FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies
Related: Russian APT Used Zero-Click Outlook Exploit
Related: US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers
