Microsoft researchers have discovered a notorious Russian state-backed threat actor using a previously undocumented tool called GooseEgg to steal credentials and escalate privileges after gaining initial access to a new device.
The tool has been in use for at least four years and possibly longer, and it has the ability to exploit a Windows Print Spooler vulnerability (CVE-2022-38028), which wasn’t disclosed until 2022. Actors from a threat group that Microsoft calls Forest Blizzard, which is known more commonly as Fancy Bear or APT28, have deployed GooseEgg in attacks on a variety of targets in Europe and North America in recent years. The tool is relatively simple but is effective and has the ability to launch other apps and move laterally.
“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft said in a new analysis.
Forest Blizzard is a threat group associated with Russia’s GRU intelligence service and has been active for nearly 15 years. The group generally targets organizations of strategic value for Russia’s foreign policy objectives, including government agencies, technology providers, and higher education institutions.
“Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat,” Microsoft said in its analysis.
“The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.”
The first command doesn’t do much, but the second and third commands launch the actual exploit for the CVE-2022-38028 vulnerability, and the fourth one checks to make sure the exploit worked. Microsoft researchers said GooseEgg can create a new directory and when the Print Spooler service tries to load a specific driver, it is redirected to the attacker-created directory, where there is a function that has been modified by the attacker.
“This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code,” the Microsoft analysis says.