Illustration: Supimol Kumying | Shutterstock
A group of Russian hackers, known as Forest Blizzard or by their other names, Strontium, Fancy Bear, and APT28, is currently using a malicious tool called GooseEgg to target government and non-governmental organisations in Ukraine, Western Europe, and North America.
GooseEgg is a custom tool that uses modified JavaScript files to execute commands with system-level permissions and exploits a vulnerability known as CVE-2022-38028 in the Windows Print Spooler service. Western governments, primarily the United States and the United Kingdom, link the group to the Russian General Staff Main Intelligence Directorate (GRU).
Forest Blizzard has demonstrated a proclivity for leveraging publicly available exploits for infiltration attempts. Also, as the group is under the GRU, its strategic focus is on intelligence gathering rather than engaging in destructive attacks.
Forest Blizzard initiates the attack by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service. This vulnerability allows the threat actor to manipulate a JavaScript constraints file, granting them the ability to execute commands with SYSTEM-level permissions.
To exploit the vulnerability, APT28 uses GooseEgg, a tool designed to launch a series of commands with elevated privileges, enabling post-compromise activities within the compromised network.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” said researchers.
Once inside the network, Forest Blizzard employs GooseEgg for various post-compromise activities, including:
- Remote code execution: Forest Blizzard can execute code remotely on compromised systems, giving them control and access to sensitive data.
- Backdoor installation: The threat actor installs backdoors within the network, allowing persistent access and future infiltration.
- Lateral movement: GooseEgg facilitates lateral movement across the compromised network, enabling ForestBlizzard to explore and exploit additional systems and resources.
- Specific commands and execution: GooseEgg then executes specific commands with different run paths and functionalities tailored to achieve Forest Blizzard’s objectives. These commands are sophisticated and carefully orchestrated to evade detection and maximise the threat actor’s operational efficiency.
Forest Blizzard ensures its activities remain concealed and persistent within the compromised environment. GooseEgg is designed to set up persistence as a scheduled task, ensuring continued access and functionality even after the initial compromise.
The threat actor deploys GooseEgg alongside other infrastructure and tactics, such as:
- Batch scripts: Batch scripts like execute.bat and doit.bat are used to initiate GooseEgg and establish persistence.
- Binary names: The GooseEgg binary adopts various names like justice.exe and DefragmentSrv.exe, further complicating detention efforts.
- DLL injection: Forest Blizzard leverages DLL injection techniques, such as wayzgoose23.dll, to execute malicious code within the compromised system’s context.
Microsoft released a patch to fix CVE-2022-38028 in October 2022. Researchers have urged users to immediately implement the fix, including patching, running endpoint detection and response in block mode, configuring investigation and remediation in full automated mode, and turning on cloud-delivered protection in Microsoft Defender antivirus.
In the News: UnitedHealth confirms data breach at Change Healthcare impacting millions