GooseEgg Malware Linked to Russian Fancy Bear APT

APT28, a threat actor linked to Russia, utilized a security vulnerability in the Microsoft Windows Print Spooler component to deploy a new custom malware named GooseEgg. This post-compromise tool, operational since at least June 2020 and potentially as early as April 2019, exploited a now-patched flaw enabling privilege escalation (CVE-2022-38028, CVSS score: 7.8). Microsoft addressed this issue in updates released in October 2022, with credit to the U.S. National Security Agency (NSA) for initially reporting it.

Fancy Bear Deployed GooseEgg Against Various Targets

According to recent findings from Microsoft's threat intelligence team, APT28 (also known as Fancy Bear and Forest Blizzard) utilized this vulnerability in attacks targeting government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.

Forest Blizzard, believed to be associated with Unit 26165 of the Russian military intelligence agency GRU, has been active for around 15 years, primarily focusing on intelligence gathering to support Russian foreign policy objectives.

Fancy Bear's Previous Attacks

In addition to GooseEgg, APT28 has exploited other vulnerabilities, such as a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS score: 7.8), demonstrating their agility in incorporating public exploits into their tactics.

The goal of deploying GooseEgg, according to Microsoft, is to obtain elevated access to target systems and pilfer credentials and information. The malware is typically deployed alongside a batch script and allows for executing commands to trigger the exploit and launch specified applications with elevated permissions, verifying success through commands like whoami.

By Zaib
April 23, 2024
Computer Security
English
April 23, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Error: Ox800VDS Pop-up Scam

1 month ago

Softcnapp Potentially Unwanted Application

2 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

9 months ago

Alrucs Service Trojan

22 days ago

Remor.xyz Browser Hijacker

20 days ago

Related Posts

Malware

CryWiper Malware Used to Attack Russian Targets

A brand new strain of malware that was never seen in the wild before is now used in attacks on administrative bodies in Russia. The new malware is called CryWiper. CryWiper is targeting the offices of city officials... Read more

December 5, 2022
Malware

Bobik Malware Linked with Attacks in Ukraine

Bobik is the name of a piece of malware acting like a remote access trojan. Security researchers have linked Bobik to a threat actor known for its pro-Russian attitudes, known by the alias NoName 057(16). According to... Read more

September 9, 2022
Malware

Giddome Backdoor Linked to Russian Threat Actor

Security researchers with Symantec recently published a report on new activity conducted by Russian threat actors and aimed at Ukrainian targets. The threat actor is known by several aliases, including Gamaredon and... Read more

August 18, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.