APT28 Uses GooseEgg to Exploit Windows Flaw

Written by Mitchell Langley

April 23, 2024

APT28 Uses GooseEgg to Exploit Windows Flaw

Microsoft has issued a warning regarding the activities of the APT28 threat group. APT28 is currently exploiting a vulnerability in the Windows Print Spooler to gain elevated privileges and unlawfully access credentials and sensitive data.

Their method involves the use of a newly discovered hacking tool called GooseEgg.

According to Microsoft, APT28 has been utilizing GooseEgg to exploit the CVE-2022-38028 vulnerability since at least June 2020, and potentially even as early as April 2019.

In response to this threat, Microsoft has addressed the vulnerability in their October 2022 Patch Tuesday release, as reported by the U.S. National Security Agency.

While the vulnerability has been fixed, Microsoft has not yet classified it as actively exploited in their advisory.

Hackers from the Russian GRU Military Unit 26165 Involved

The advisory is regarding the activities of military hackers associated with Russia’s Main Intelligence Directorate of the General Staff (GRU), specifically Military Unit 26165. These hackers have been leveraging a newly discovered hacking tool called GooseEgg to carry out their operations.

GooseEgg enables the attackers to escalate their privileges and execute various commands with SYSTEM-level access. Microsoft has observed that the attackers commonly deploy GooseEgg by disguising it as a Windows batch script, named either ‘execute.bat’ or ‘doit.bat’.

APT28 Used GooseEgg for Infiltrating Systems and Elevating Privileges

Once executed, GooseEgg establishes persistence on the compromised system by creating a scheduled task that triggers the execution of a second batch script called ‘servtask.bat’.

Additionally, the hackers utilize GooseEgg to inject a malicious DLL file, known as ‘wayzgoose23.dll’, into the PrintSpooler service. This allows them to operate with SYSTEM-level permissions, facilitating their unauthorized activities.

The DLL file ‘wayzgoose23.dll’ is not just a malicious DLL, but rather an app launcher. This app launcher enables the attackers to execute additional payloads with SYSTEM-level permissions, granting them significant control over the compromised systems.

By leveraging this capability, the attackers can deploy backdoors, move laterally within the networks of their victims, and remotely execute code on breached systems. This enhances their ability to carry out unauthorized actions and maintain persistence within the compromised infrastructure.

“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,”

Microsoft explains.

“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”

History of APT28 Cyberattacks

APT28, a well-known hacking group originating from Russia, has gained significant attention due to its involvement in numerous notable cyber attacks since its emergence in the mid-2000s.

An example of their activities includes an incident from one year ago, where intelligence services of the United States and the United Kingdom issued warnings regarding APT28’s utilization of a zero-day vulnerability in Cisco routers.

Through this exploit, they deployed the Jaguar Tooth malware, which enabled them to gather sensitive data from targeted entities within the United States and the European Union.

More recently, in February, a joint advisory was released by the FBI, NSA, and international partners, alerting the public to APT28’s utilization of compromised Ubiquiti EdgeRouters to avoid detection in their attacks.

In the past, APT28 has been implicated in various significant breaches. They were associated with the cyber intrusion of the German Federal Parliament (Deutscher Bundestag) and were also responsible for hacking into the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) prior to the 2016 U.S. Presidential Election.

Two years after these incidents, the United States charged several individuals linked to APT28 for their involvement in the attacks on the DNC and DCCC. Additionally, in October 2020, the Council of the European Union imposed sanctions on APT28 members in connection to the breach of the German Federal Parliament.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!