Russian group exploits Windows print spooler bug via ‘GooseEgg’ malware

Microsoft says a previously undocumented malware it calls "GooseEgg" is being used by Russian threat group APT28 to exploit a known Windows Print Spooler bug, leading to network compromise and credential theft.

The software giant is urging organizations to patch the vulnerability, after observing the malware being deployed against targets in North America, Western Europe, and Ukraine.

In an April 22 post, Microsoft Threat Intelligence researchers described GooseEgg as a simple launcher application that can enable remote code execution, backdoor installation and lateral movement.

They said APT28 had used the tool since at least June 2020 (and possibly as early as April 2019) to exploit CVE-2022-38028, a print spooler bug Microsoft issued a patch for in October 2022.

The threat group’s attack involved the hackers modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions.

“GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat,” the researchers said.

“This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat.”

The appeal of printer-related bugs

APT28, also known as Fancy Bear and tracked by Microsoft as Forest Blizzard (previously Strontium), is linked to the Russian General Staff Main Intelligence Directorate (GRU), and specializes in strategic intelligence gathering for the Kremlin.

In December, Microsoft warned that the same threat group was exploiting a critical Exchange elevation of privilege vulnerability (CVE-2023-23397) to steal sensitive government and corporate information from targets in the U.S., Europe and the Middle East.

In February, the FBI dismantled a botnet of several hundred small office/home office (SOHO) routers that U.S. authorities said was under the control of APT28 and used in large credential-harvesting campaigns for Russia’s intelligence service.

While Microsoft believes the GooseEgg malware is unique to APT28, Russian-linked threat actors were observed in 2021 exploiting a set of similar vulnerabilities known as PrintNightmare, also privilege escalation bugs in the Windows Print Spooler service.

“Printers can become the attack path into your corporation,” said Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

“Russia continues to exploit older vulnerabilities because many organizations do not have proper vulnerability management for their printers.”

Mitigating the GooseEgg threat

As well as patching the GooseEgg vulnerability in October 2022, Microsoft released patches for the two bugs associated with the PrintNightmare flaw (CVE-2021-1675 and CVE-2021-34527) in June and July 2021 respectively.

“Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security,” the Microsoft Threat Intelligence researchers said.

“In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers.”