The perpetrator of the Russia-linked state threat has been identified APT28 weaponized a security flaw in the Print Spooler component of Microsoft Windows to spread a previously unknown custom malware called GooseEgg.
The post-compromise tool, said to have been in use since at least June 2020 and possibly as early as April 2019, exploited a now-patched flaw that allowed privilege escalation (CVE-2022-38028, CVSS score: 7.8).
The issue was fixed by Microsoft as part of updates released in October 2022, with the US National Security Agency (NSA) credited for reporting the flaw at the time.
According to new findings from the tech giant’s threat intelligence team, APT28 – also called Fancy Bear and Forest Blizzard (formerly Strontium) – used the bug as a weapon in attacks against Ukrainian, European, and European governments, non-governmental organizations, education and transportation. Western and North American. sector organisations.
“Forest Blizzard used the tool […] to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions,” the company said.
“Despite being a simple startup application, GooseEgg is able to spawn other applications specified on the command line with elevated permissions, allowing threat actors to support any subsequent objectives such as remote code execution, installing a backdoor and lateral movement through compromised networks.”
Forest Blizzard is believed to be affiliated with Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Active for nearly 15 years, the Kremlin-backed hacking group’s activities are predominantly geared toward gathering intelligence to support the Russian government’s foreign policy initiatives.
In recent months, APT28 hackers have also abused a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE-2023-38831 , CVSS score: 7.8), indicating their ability to quickly adopt public exploits into their business.
“Forest Blizzard’s goal in implementing GooseEgg is to gain high access to target systems and steal credentials and information,” Microsoft said. “GooseEgg is typically distributed with a batch script.”
The GooseEgg binary supports commands to trigger the exploit and launch a provided dynamic link library (DLL) or executable with elevated permissions. Also check whether the exploit was successfully activated using the whoami command.
The disclosure comes as IBM
- GammaLoad.VBS, a VBS-based backdoor that starts the infection chain
- GammaStager, which is used to download and execute a series of Base64 encoded VBS payloads
- GammaLoadPlus, used to run .EXE payloads
- GammaInstall, which acts as the loader for a known PowerShell backdoor called GammaSteel
- GammaLoad.PS, a PowerShell implementation of GammaLoad
- GammaLoadLight.PS, a PowerShell variant that contains code to spread the spread itself to connected USB devices
- GammaInfo, a PowerShell-based enumeration script that collects various information from the host
- GammaSteel, a PowerShell-based malware to exfiltrate files from a victim based on an allowlist of extensions
“Hive0051 rotates infrastructure through synchronized DNS flow across multiple channels including Telegram, Telegraph and Filetransfer.io,” IBM X-Force researchers said earlier this month, saying it “indicates a potential increase in resources and of the capabilities of the actors dedicated to ongoing operations”.
“Hive0051’s continued fielding of new tools, capabilities and delivery methods is very likely to facilitate an accelerated pace of operations.”