GooseEgg Malware

Cybersecurity analysts have discovered a threatening tool utilized by Russian state-backed hackers to obtain sensitive credentials within compromised networks. Dubbed GooseEgg, this malware capitalizes on a vulnerability identified as CVE-2022-38028 within the Windows Print Spooler service, responsible for managing printing tasks by altering a JavaScript constraints file and executing it with SYSTEM-level permissions. Analysts note that GooseEgg seems to be exclusive to an APT (Advanced Persistent Threat) group known as APT28, affiliated with Russia's military intelligence arm, the GRU.

According to the findings, APT28—also recognized as Fancy Bear and Forest Blizzard—has been deploying this malware since at least June 2020, targeting various sectors, including state institutions, NGOs, educational establishments, and transportation entities across Ukraine, Western Europe and North America.

The GooseEgg Malware Allows Cybercriminals to Escalate Their Attack

APT28 aims to achieve elevated access to target systems and pilfer credentials and sensitive information through the deployment of GooseEgg. Typically deployed with a batch script, GooseEgg, despite being a simple launcher application, possesses the capability to initiate other specified applications with elevated permissions, as commanded via the command line. This enables threat actors to pursue various follow-on objectives, including remote code execution, backdoor installation, and lateral movement within compromised networks.

The GooseEgg binary facilitates commands to activate the exploit and launch either a provided dynamic-link library (DLL) or an executable with elevated privileges. Additionally, it verifies the successful activation of the exploit using the 'whoami' command.

Although the security flaw in the Print Spooler was patched in 2022, users and organizations who have yet to implement these fixes are strongly advised to do so promptly to bolster their organization's security posture.

APT28 Remains a Key Threat Actor on the Cybercrime Scene

APT28 is believed to have ties with Unit 26165 of the Russian Federation's military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Operating for nearly 15 years, this hacking group, backed by the Kremlin, primarily focuses on intelligence gathering to support the foreign policy objectives of the Russian government.

In past campaigns, APT28 hackers have exploited a privilege escalation vulnerability in Microsoft Outlook (CVE-2023-23397) and a code execution flaw in WinRAR (CVE-2023-38831), demonstrating their ability to incorporate public exploits into their operations rapidly. 

The hackers affiliated with the GRU typically focus their efforts on strategic intelligence assets, including government entities, energy firms, transportation sectors, and non-governmental organizations across the Middle East, U.S. and Europe. Additionally, researchers have noted instances of APT28 targeting media outlets, information technology firms, sports organizations, and educational institutions.