Russian APT28 Group in New “GooseEgg” Hacking Campaign

Summary: A notorious Russian APT group known as APT28 has been using a post-compromise tool called “GooseEgg” to steal credentials by exploiting a Windows Print Spooler bug.

Threat Actor: APT28 (aka Strontium, Forest Blizzard) | APT28
Victim: Various government, non-governmental, education, and transportation sector organizations | Various victims

Key Point :

  • APT28 has been using the GooseEgg tool since potentially April 2019 to exploit the CVE-2022-38028 vulnerability and steal credentials.
  • GooseEgg allows the threat actors to execute applications with system-level permissions, enabling them to perform various malicious activities such as remote code execution and installing backdoors.
  • The targets of APT28’s campaign include Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.
  • Sysadmins are advised to patch CVE-2022-38028 or disable Print Spooler on domain controllers and use EDR or XDR tooling to detect GooseEgg.

A notorious Russian APT group has been stealing credentials for years by exploiting a Windows Print Spooler bug and using a novel post-compromise tool known as “GooseEgg,” Microsoft has revealed.

APT28 (aka Strontium, Forest Blizzard) has been using GooseEgg since potentially as far back as April 2019 to exploit CVE-2022-38028, Microsoft said in a new report published yesterday.

CVE-2022-38028 was reported to Microsoft by the NSA and patched in October 2022. GooseEgg is used to modify a JavaScript constraints file and execute it with system-level permissions, enabling the threat actors to steal credentials and information from targeted networks.

“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the report noted.

Read more on APT28: Russian APT28 Exploits Outlook Bug to Access Exchange

APT28 has been linked by British and US intelligence to the Russian General Staff Main Intelligence Directorate (GRU), and usually focuses on cyber-espionage rather than destructive attacks.

Its targets in this campaign include Ukrainian, Western European and North American government, non-governmental, education and transportation sector organizations, according to Microsoft.

“Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” the report claimed.

Sysadmins are urged to patch CVE-2022-38028 and/or disable Print Spooler on domain controllers. It also suggested running EDR or XDR tooling to detect GooseEgg. Microsoft Defender Antivirus detects it as HackTool:Win64/GooseEgg.

The report warned that APT28’s TTPs and infrastructure related to GooseEgg could change at any time.

Source: https://www.infosecurity-magazine.com/news/russian-apt28-gooseegg-hacking/


“An interesting youtube video that may be related to the article above”