Infosec Watchtower Logo

Microsoft Warns of APT28 Exploiting Print Spooler Flaws to Deploy GooseEgg Malware in Global Cyberattacks

Charles M. Walls | April 23, 2024 | Views: 226

A dramatic digital art scene depicting a cyberespionage attack by a shadowy group. The foreground shows a hacker in a dark hoodie, obscured face.

A cyberespionage collective with ties to Russia, known as APT28, has been exploiting vulnerabilities in Windows Print Spooler to deploy a specialized hacking tool across various entities in the US, Ukraine, and Western Europe, according to insights from Microsoft.

The hacking tool, referred to as GooseEgg, is essentially a launcher that initiates other applications with heightened permissions. This capability allows the hackers to perform actions such as executing remote code, creating backdoors, and navigating across networks undetected.

Microsoft, which refers to the group as Forest Blizzard, has identified that APT28 utilized known security gaps, notably CVE-2022-38028, CVE-2023-23397, and the duo known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), to distribute GooseEgg. The targets of these cyberattacks have primarily been governmental bodies, non-profits, educational institutions, and transportation agencies. The aim? To gain unauthorized access, escalate privileges, and pilfer sensitive information.

The deployment of GooseEgg usually occurs alongside a batch script which sets the stage for the malware by ensuring its persistence on the infected system and handling the execution of the malware’s binary. This binary is versatile, capable of testing the exploit, triggering an exploit to launch additional malicious software with system-level access, and issuing custom commands.

Microsoft's analysis reveals that the malware modifies registry settings to establish a new protocol handler and register a custom CLSID that serves as the COM server. It further manipulates the system by replacing the symbolic link for the C: drive in the object manager, pointing it instead to a directory under the actor’s control, which includes driver packages for the exploited Print Spooler service.

Moreover, the tool patches a function to activate the rogue protocol and execute an auxiliary DLL through the PrintSpooler service, operating with System permissions. Microsoft describes this library as a straightforward application that enables threat actors to execute specified applications with System privileges, facilitating further malicious operations such as installing backdoors, moving laterally through networks, and executing remote code.

Microsoft strongly advises users to update their systems with the security patches for both the Print Spooler and PrintNightmare vulnerabilities, released in 2022 and 2021, respectively. The tech giant also recommends disabling the Print Spooler service on domain controllers as it is unnecessary for their operation, to further bolster security.

Along with the security updates, Microsoft has shared indicators of compromise and additional resources to aid organizations in detecting and responding to potential GooseEgg infections. These steps are vital in thwarting APT28, which is believed to operate under the Russian General Staff Main Intelligence Directorate (GRU) and targets entities globally to gather intelligence that supports Russian governmental foreign policy goals.

Source of Inspiration