The Russia-linked hacker group known as APT28 he exploited a security flaw in the Microsoft Windows Print Spooler component to distribute a previously unknown custom malware called GooseEgg.
How it works and what problems GooseEgg causes
The post-compromise tool, which is believed to have been in use since at least June 2020 and possibly as early as April 2019, exploited a now fixed flaw that allowed privilege escalation (CVE-2022-38028, CVSS score: 7.8).
The GooseEgg cyber threat was addressed by Microsoft as part of updates released in October 2022, with the US National Security Agency (NSA) credited with reporting the flaw at the time.
According to new findings from the big tech company's threat intelligence team, APT28also called Fancy Bear and Forest Blizzard (and now abcira Strontium), exploited the bug in targeted attacks on government, non-government, education, and transportation organizations in Ukraine, Western Europe, and North America.
How GooseEgg works in detail
“Forest Blizzard has used the tool […] to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service modifying a JavaScript constraints file and running it with SYSTEM level permissions” has declared the company.
“Although it is a simple launch application, GooseEgg is able to launch other applications specified from the command line with elevated permissions, allowing threat actors to support any subsequent targets such as remote code execution, installation of a backdoor, and lateral movement through compromised networks.”
Forest Blizzard is believed to be affiliated with Unit 26165 of the Russian Federation's military intelligence agencythe Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Active for almost 15 years, the Kremlin-backed hacker group's activities are predominantly geared towards collecting information in support of the Russian government's foreign policy initiatives.
In recent months, APT28 hackers have exploited also a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS score: 7.8), indicating their ability to quickly adopt public exploits.
Hackers' goals and tools used
“Forest Blizzard's goal in distributing GooseEgg is to achieve high access to target systems and steal credentials and information,” Microsoft said. “GooseEgg typically ships with one batch scripts.”
The GooseEgg binary supports commands to trigger the exploit and launch both a provided dynamic library (DLL) is an executable with elevated permissions; also checks whether the exploit was successfully activated using the command whoami.
The disclosure comes as IBM X-Force revealed new phishing attacks orchestrated by the hacker group Gamaredon (also known as Aqua Blizzard, Hive0051 and UAC-0010) targeting Ukraine and Poland distributing new iterations of the GammaLoad malware:
- GammaLoad.VBSwhich is a VBS-based backdoor that starts the infection chain
- GammaStagerused to download and execute a series of Base64 encoded VBS payloads
- GammaLoadPlusused to execute .EXE payloads
- GammaInstallwhich acts as a loader for a well-known PowerShell backdoor called GammaSteel
- GammaLoad.PSa PowerShell implementation of GammaLoad
- GammaLoadLight.PSa PowerShell variant that contains code to spread itself to connected USB devices
- GammaInfoa PowerShell-based enumeration script that collects various information from the host
- GammaSteela PowerShell-based malware to exfiltrate files from a victim based on a list of allowed extensions
“Channel 0051 rotates the infrastructure through a synchronized DNS stream across multiple channels including Telegram, Telegraph and Filetransfer.io” IBM X-Force researchers said earlier this month, stating that “indicates a potential increase in actor resources and capabilities dedicated to ongoing operations.“, adding: “Channel 0051's continued deployment of new tools, capabilities and delivery methods is most likely to facilitate an accelerated operational tempo.”
#GooseEgg #Windows #malware #APT28 #group
