GooseEgg Malware Linked to Russian Fancy Bear APT
APT28, a threat actor linked to Russia, utilized a security vulnerability in the Microsoft Windows Print Spooler component to deploy a new custom malware named GooseEgg. This post-compromise tool, operational since at least June 2020 and potentially as early as April 2019, exploited a now-patched flaw enabling privilege escalation (CVE-2022-38028, CVSS score: 7.8). Microsoft addressed this issue in updates released in October 2022, with credit to the U.S. National Security Agency (NSA) for initially reporting it.
Fancy Bear Deployed GooseEgg Against Various Targets
According to recent findings from Microsoft's threat intelligence team, APT28 (also known as Fancy Bear and Forest Blizzard) utilized this vulnerability in attacks targeting government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.
Forest Blizzard, believed to be associated with Unit 26165 of the Russian military intelligence agency GRU, has been active for around 15 years, primarily focusing on intelligence gathering to support Russian foreign policy objectives.
Fancy Bear's Previous Attacks
In addition to GooseEgg, APT28 has exploited other vulnerabilities, such as a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS score: 7.8), demonstrating their agility in incorporating public exploits into their tactics.
The goal of deploying GooseEgg, according to Microsoft, is to obtain elevated access to target systems and pilfer credentials and information. The malware is typically deployed alongside a batch script and allows for executing commands to trigger the exploit and launch specified applications with elevated permissions, verifying success through commands like whoami.