Russia-linked advanced persistent threat (APT) actor Forest Blizzard had, since June 2020, exploited a now-patched Windows vulnerability to drop previously unknown, custom post-compromise malware, GooseEgg, according to a Microsoft report.
Forest Blizzard, linked previously to the Russian intelligence agency General Staff of the Armed Forces of the Russian Federation (GRU), deployed GooseEgg to gain elevated access to target systems and steal credentials and information.
“Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” Microsoft said in the report.
GooseEgg used for privilege elevation
The vulnerability tracked as CVE-2022-38028, was a severe (CVSS 7.8/10) privilege escalation security flaw in Windows Print Spooler service fixed in Microsoft’s October 2022 Tuesday patches. Windows Print Spooler is an operating system application that temporarily stores print jobs in the computer’s memory until the printer is ready to print them.
According to Microsoft’s observation, once access to the target system is obtained, Forest Blizzard uses GooseEgg to elevate privileges within the environment.
GooseEgg is typically deployed using a batch script, a set of commands stored in a plain text file to be executed by a Windows command line interpreter. The batch script invokes the GooseEgg executable, a malicious binary with privilege elevation and credential-stealing commands.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the company said.
Forest Blizzard has used GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American governments, non-governmental, education, and transportation sector organizations, according to the report.
Exploits as early as April 2019
Forest Blizzard, also tracked as Fancy Bear, GRU Unit 26165, APT28, Sednit, Sofacy, and STROTIUM, is reportedly active since 2010, collecting intelligence in support of Russian government foreign policy initiatives. The threat actor has been linked to GRU Military Unit 26165, with global targets but a predominant focus on entities in the US and Europe.
“Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586),” the company said.
Microsoft Threat Intelligence assessed Forest Blizzard’s objective in deploying GooseEgg is to gain access to target systems and steal information, since at least June 2020 and possibly as early as April 2019.
Apart from the October 2022 patches, Microsoft has recommended that users disable Windows Print Spooler service for domain controller operations, run endpoint detection and response (EDR) in block mode, fully automate investigation and remediation mode on Microsoft Defender, and turn on cloud-delivered protection on the Defender Antivirus.
Microsoft Defender Antivirus currently detects the GooseEgg threat components within affected systems as “HackTool:Win64/GooseEgg”, the company added.
Malware, Windows Security
Leave a Reply