According to Microsoft, there is a critical security threat targeting Windows operating systems. This threat group, known as APT28, is exploiting a vulnerability in the Print Spooler to gain unauthorized access to sensitive data and credentials. This attack is being carried out using a new hacking tool called GooseEgg, which was previously unknown to Microsoft.
The use of GooseEgg by APT28 was first noticed in June 2020, but it is believed that they may have been using it since April 2019. This vulnerability, known as CVE-2022-38028, was identified by the U.S. National Security Agency and has since been patched by Microsoft during their October 2022 Patch Tuesday release. However, Microsoft has not yet classified this vulnerability as actively exploited in their advisory.
Military Unit 26165, part of Russia’s Main Intelligence Directorate of the General Staff (GRU), is responsible for carrying out these attacks. They use GooseEgg to deploy additional malicious payloads and run commands with elevated permissions, allowing them to gain further access to compromised systems. Microsoft has found that the attackers drop GooseEgg as a Windows batch script, named ‘execute.bat’ or ‘doit.bat,’ which then launches the GooseEgg executable and gains persistence on the compromised system by adding a scheduled task.
The hackers also use GooseEgg to drop a malicious DLL file, known as ‘wayzgoose23.dll,’ into the PrintSpooler service with SYSTEM permissions. This DLL acts as an app launcher, enabling the attackers to execute other payloads with elevated permissions and carry out actions such as deploying backdoors, moving laterally through networks, and running remote code on compromised systems.
Microsoft has observed APT28 using GooseEgg in post-compromise activities against government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America. Although it is a simple launcher application, GooseEgg has the capability to support various follow-on objectives, making it a dangerous tool in the hands of threat actors.
History of notable cyberattacks
APT28, a well-known Russian hacking group, has been responsible for numerous high-profile cyber attacks since it was first detected in the mid-2000s. For instance, in 2021, U.S. and U.K. intelligence agencies warned about APT28 using a zero-day vulnerability in Cisco routers to deploy Jaguar Tooth malware, allowing them to steal sensitive information from targets in the U.S. and EU.
More recently, the FBI, NSA, and international partners issued a joint advisory in February 2022, revealing that APT28 had used compromised Ubiquiti EdgeRouters to evade detection in their attacks. APT28 has also been linked to the breach of the German Federal Parliament and the hacks of the Democratic Congressional Campaign Committee (DCCC) and Democratic National Committee (DNC) ahead of the 2016 U.S. Presidential Election.
In 2018, the U.S. government charged members of APT28 for their involvement in the DNC and DCCC attacks, and in 2020, the Council of the European Union sanctioned APT28 members for the German Federal Parliament hack.