Russian APT28 Hackers Exploit Windows Flaw Highlighted by NSA

April 22, 2024

Microsoft has alerted users that Russian threat group APT28 is exploiting a vulnerability in Windows Print Spooler to gain elevated privileges and steal data. They are utilizing a novel hacking tool, named GooseEgg, which was designed to exploit the CVE-2022-38028 vulnerability, initially reported by the U.S. National Security Agency. Microsoft patched this vulnerability in their October 2022 Patch Tuesday. The APT28 group, also known as Military Unit 26165 of Russia's Main Intelligence Directorate of the General Staff (GRU), uses GooseEgg to launch additional malicious tools and execute various commands with SYSTEM-level privileges.

The hacking tool is deployed as a Windows batch script, either 'execute.bat' or 'doit.bat', which initiates a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches 'servtask.bat,' another batch script written to the disk. The exploit is also used to drop an embedded malicious DLL file, sometimes named 'wayzgoose23.dll', in the context of the PrintSpooler service with SYSTEM permissions. This DLL functions as an app launcher that can execute other payloads with SYSTEM-level permissions, enabling the attackers to deploy backdoors, move laterally through victims' networks, and run remote code on breached systems.

Microsoft has observed that the group, also known as Forest Blizzard, uses GooseEgg in post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. "While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks," Microsoft explains.

APT28 is a well-known Russian hacking group that has been responsible for numerous high-profile cyber attacks since the mid-2000s. Last year, intelligence services from the U.S. and U.K. warned about APT28 exploiting a Cisco router zero-day to deploy Jaguar Tooth malware, enabling it to gather sensitive information from targets in the U.S. and EU. More recently, a joint advisory issued by the FBI, the NSA, and international partners warned that APT28 used hacked Ubiquiti EdgeRouters to evade detection in attacks. The group has been linked to the breach of the German Federal Parliament (Deutscher Bundestag) and hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) ahead of the 2016 U.S. Presidential Election. In 2018, the U.S. charged APT28 members for their involvement in the DNC and DCCC attacks, and the Council of the European Union sanctioned APT28 members in October 2020 for the German Federal Parliament hack.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.