Adrian Johnson
“`html
TLDR:
- Russian military intelligence hackers are exploiting a Windows print spooler vulnerability to deploy a custom tool known as GooseEgg.
- APT28, the Russian hacking group behind this exploit, has conducted spear-phishing campaigns against Ukraine, the U.S., and the U.K. authorities.
Russian military intelligence hackers are using an 18-month-old vulnerability in the Windows print spooler utility to deploy a custom tool called GooseEgg. Microsoft disclosed the use of this tool by APT28, also known as Fancy Bear and Forest Blizzard. GooseEgg allows for elevated permissions to support objectives such as remote code execution, backdoor installation, and lateral movement through networks.
The Russian state hacking group Unit 26165 of the 85th Main Special Services Center within the GRU is using GooseEgg primarily against government agencies, non-governmental organizations, educational institutions, and transportation sector organizations in Ukraine, Western Europe, and North America. The tool operates stealthily within compromised systems by manipulating system files like MPDW-constraints.js to gain system-level permissions.
Forest Blizzard, also known as APT28, has been using GooseEgg since at least June 2020. The hack exploits a flaw discovered by the NSA in 2022, tracked as CVE-2022-38028, allowing attackers to gain system privileges. GooseEgg is typically deployed alongside batch scripts and operates within compromised systems under names like justice.exe or DefragmentSrv.exe. The tool derives its name from an embedded malicious file with the phrase “wayzgoose” in it.
“`
