Microsoft researchers uncovered a new tool in the Russian state hackers’ arsenal that helped them gain elevated access, pilfer credentials and allowed lateral movement within compromised networks. Dubbed GooseEgg malware, this sophisticated tool exploits a vulnerability identified as CVE-2022-38028 in the Windows Print Spooler service, responsible for managing printing processes.
Redmond fixed the vulnerability that gave attackers system privileges in its October 2022 Patch Tuesday stating the bug’s exploitation is “most likely.” It is yet to flag the flaw as actively exploited in its assessment.
Hackers Leverage the GooseEgg Malware to Exploit Windows Devices
GooseEgg malware is exclusively used by a group that the tech giant tracks as “Forest Blizzard,” which the United States and United Kingdom governments closely links to the Unit 26165 of Russia’s military intelligence agency, the GRU.
Forest Blizzard, also known as Fancy Bear and APT28, has deployed GooseEgg since at least June 2020, targeting state, non-governmental, educational and transportation entities across Ukraine, Western Europe and North America, Microsoft said.
“The use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” Redmond said.
Upon gaining access to a target device, Forest Blizzard used GooseEgg to escalate privileges within the network. Although GooseEgg itself functions as a basic launcher application, it enables attackers to execute remote code, implant backdoors and traverse compromised networks laterally.
The Rise of Forest Blizzard Hackers
Forest Blizzard additionally exploits other vulnerabilities including CVE-2023-23397, which impacts all versions of Microsoft Outlook software on Windows devices and is known to be exploited. This critically rated bug allows attackers to steal the Net-NTLM hash from the victims, enabling the attackers to assume a victim identity and to move deeper into the organization.
In a December warning, Microsoft cautioned that Forest Blizzard was leveraging the Microsoft Outlook bug to illicitly access email accounts within Microsoft Exchange servers since April 2022.
Forest Blizzard primarily targets government, energy, transportation and non-governmental organizations in the United States, Europe and the Middle East but Microsoft said it had observed the GRU hackers focus shift to media, information technology, sports organizations and educational institutions worldwide.
“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
