Forest Blizzard [1] [2] [3] [5] [7] [8] [9] [10], also known as APT28 [2] [3] [7], Fancy Bear [5] [6] [7] [9], Sednit [5], and Sofacy, is a Russian threat actor associated with the GRU intelligence service. This threat actor has been exploiting the Windows Print Spooler vulnerability, CVE-2022-38028 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], using a custom tool called GooseEgg since at least June 2020.
Description
Forest Blizzard targets government [1] [5] [8], education [2] [5] [7] [10], and transportation sector organizations in Ukraine [2] [7], Europe [1] [2] [3] [4] [5] [6] [7] [8], and North America [2] [4] [5] [7] [8]. They use GooseEgg for post-compromise activities such as remote code execution and lateral movement [5]. GooseEgg allows the threat actor to spawn elevated processes, enabling further malicious actions. After gaining initial access [5], Forest Blizzard deploys GooseEgg through batch scripts to elevate privileges [5], establish persistence, and run malicious DLLs or executables with SYSTEM permissions [5]. The tool’s commands support exploit success checks [5], custom version identification [5], and privilege escalation [5] [8] [10], aiding in credential theft and maintaining elevated access on compromised targets [5]. GooseEgg creates registry keys [5], registers a rogue protocol handler and COM server [5], and replaces symbolic links to load a malicious file [5], allowing the launch of the wayzgoose.dll malware with SYSTEM privileges [5]. This DLL serves as a launcher for installing backdoors [5], lateral movement [3] [4] [5] [10], and remote code execution on compromised systems, demonstrating Forest Blizzard’s misuse of legitimate utilities for malicious purposes [5].
Conclusion
The exploitation of CVE-2022-38028 by Forest Blizzard using GooseEgg poses a significant threat to organizations in various sectors and regions. Mitigations such as patching the vulnerability, implementing network segmentation, and monitoring for suspicious activities are crucial to defend against such attacks. The continued evolution of tactics and tools by threat actors like Forest Blizzard underscores the importance of proactive cybersecurity measures to protect sensitive data and infrastructure.
References
[1] https://techmonitor.ai/technology/software/microsoft-identifies-russian-hacking-group-deploying-gooseegg-malware
[2] https://www.infosecurity-magazine.com/news/russian-apt28-gooseegg-hacking/
[3] https://arstechnica.com/security/2024/04/kremlin-backed-hackers-exploit-critical-windows-vulnerability-reported-by-the-nsa/
[4] https://www.scmagazine.com/news/russian-group-exploits-windows-print-spooler-bug-via-gooseegg-malware
[5] https://cybersecuritynews.com/russian-apt28-exploits-windows-print-spooler/
[6] https://winbuzzer.com/2024/04/23/microsoft-identifies-russian-apt28-exploiting-windows-vulnerability-with-gooseegg-tool-xcxwbn/
[7] https://duo.com/decipher/russian-group-forest-blizzard-deploying-gooseegg-tool-to-exploit-cve-2022-38028
[8] https://www.csoonline.com/article/2094456/russian-state-sponsored-hacker-used-gooseegg-malware-to-steal-windows-credentials.html
[9] https://www.helpnetsecurity.com/2024/04/23/cve-2022-38028-exploits/
[10] https://www.scmagazine.com/brief/novel-tool-leveraged-by-apt28-to-exploit-old-windows-vulnerability
