A known Russian advanced persistent threat (APT) group used a custom tool to exploit a bug that had been present for several years in Windows Print Spooler service to elevate privileges and steal credentials in numerous intelligence gathering attacks around the world. It also appears to be paving the way for further attacks.
Fantasy bear (aka APT28, Forest Blizzard, Pawn Storm, Sofacy Group and Strontium) is connected to the Main Intelligence Directorate of the Russian General Staff. He’s been using a tool called GooseEgg since at least June 2020 and possibly as early as April 2019 to take advantage of the CVE-2022-38028 Vulnerabilities in the Windows Print Spooler service, Microsoft Threat Intelligence revealed in a blog post on April 22.
Microsoft patched the flaw, which allows an attacker who successfully exploits it to gain SYSTEM privileges, in October 2022. Fancy Bear uses GooseEgg to modify a JavaScript constraints file and run it with SYSTEM level permissions.
“Although it is a simple startup application, GooseEgg is able to spawn other applications specified on the command line with elevated permissions, allowing threat actors to support any subsequent objectives such as remote code execution, installing a backdoor and lateral movement through compromised networks,” according to the post.
Microsoft discovered that Fancy Bear was using GooseEgg in attacks against various Ukrainian, Western European, and North American government, non-government, education, and transportation organizations.
Windows Print Spooler, a print services technology, is a popular target for attackers, who they tend to pounce on numerous flaws affecting the software that manages the printing process in Windows. The best known of these are two security vulnerabilities collectively called PrintNightmare which were discovered in late June 2021 and spawned a series of well-documented attacks.
GooseEgg malware customized for Windows print spooler
That Fantasy bear targeted the service itself is not out of the ordinary, according to Microsoft; however, using the newly discovered GooseEgg to elevate privileges in these attacks constitutes new threat activity for the group. GooseEgg is typically distributed with a batch script that calls a corresponding GooseEgg executable file and sets persistence as a scheduled task.
The GooseEgg binary then accepts one of four commands, each with different execution paths. “While the binary appears to issue a trivial command, it actually does so in a unique and sophisticated way, likely to help hide the activity,” according to the post.
Two of the binary’s commands activate the exploit for the print spooler flaw and launch a provided dynamic link library (DLL) or executable with elevated permissions, while another command tests the exploit and verifies that it succeeded.
The name of an embedded malicious DLL file launched by GooseEgg typically includes the phrase “wayzgoose”, such as wayzgoose23.dll. According to Microsoft Threat Intelligence, that DLL and other malware components are deployed in one of several installation subdirectories created in the Windows C:\ProgramData directory.
The exploit eventually replaces the C: drive symlink in the object manager to point to the newly created directory, resulting in Print Spooler being redirected to the actor-controlled directory containing the copied driver packages when it attempts to load this registry: C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js.
Ultimately, the auxiliary DLL file wayzgoose.dll is started in the context of the PrintSpooler service with SYSTEM permissions as “a basic startup application that can spawn other applications” with the same permissions, according to the post.
Keep Fancy Bear cyber espionage at bay
Fancy Bear has a history of attacking known vulnerabilities, particularly in Microsoft products, to compromise targets for its nefarious activities, which primarily involve, but are not limited to, intelligence gathering. Last year there was a flurry of cyber espionage attacks against government agencies in NATO countries and organizations in the Middle East who exploited CVE-2023-23397, a zero-click vulnerability in Microsoft’s Outlook email client.
While the group’s most high-profile attack may be aimed at its hacking ties running interference in the 2016 US presidential election, the group has been particularly active in various attacks lately against Ukraine since Russia’s war against the country began in February 2022.
The best way for organizations to protect themselves from Russian APT attacks is to patch the targeted vulnerable products. Microsoft recommends users to apply the file Security update CVE-2022-38028 mitigate GooseEgg threat against Windows Print Spooler; meanwhile, Microsoft Defender Antivirus detects Forest Blizzard-specific functionality as HackTool:Win64/GooseEgg.
Another way to mitigate the issue is to disable Windows Print Spooler service domain controller operations, as it is not required, according to Microsoft. To identify domain controllers where the print spooler service is enabled, Microsoft Defender for Identity has a integrated safety assessment which tracks the availability of print spooler services on domain controllers.
Greg Fitzgerald, co-founder of Sevco Security, notes that printer bugs are particularly difficult to fix because printers are often under-inventoryed.
“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly it is these environmental vulnerabilities that create security gaps that allow malicious actors to access data,” Fitzgerald says. “These vulnerabilities are hiding in plain sight in IT environments, creating a threat landscape that security teams can’t see, but are still responsible for. The sad reality is that most organizations are unable to create a accurate inventory of IT assets that reflects the entire attack surface. This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”