Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
For nearly four years and perhaps even longer, Forest Blizzard (aka Fancy Bear, aka APT28) has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service (CVE-2022-38028).
Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more.
“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,” Microsoft threat analysts have shared on Monday.
Most recently, the group has been spotted leveraging a known Microsoft Outlook vulnerability (CVE-2023-23397) to compromise email accounts of workers at public and private entities in Poland.
US and UK governments believe Forest Blizzard to be linked to Unit 26165 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
How GooseEgg exploits CVE-2022-38028
Microsoft’s analysts say that the hackers have been using GooseEgg “since at least June 2020 and possibly as early as April 2019.” This means that CVE-2022-38028, the vulnerability it exploits, was a zero-day when Microsoft patched it in October 2022.
Despite having been reported by the US National Security Agency, the vulnerability has not been and still is not described by Microsoft as having been exploited. (It is, of course, possible that the discovery of GooseEgg is very recent and Microsoft didn’t know until then that the flaw was being used by attackers.)
In any case, Microsoft explains how the GooseEgg tool – typically deployed with a batch script – invokes the GooseEgg executable and achieves persistence as a scheduled task.
The executable uses commands to trigger the exploit, launch either a malicious DLL or executable with elevated permissions, and test the exploit.
The malware components are installed in a specially crafted subdirectory with an ordinary name (e.g. Microsoft, Comms, Intel, etc.). The binary then copies driver stores to another system directory.
“Next, registry keys are created, effectively generating a custom protocol handler and registering a new CLSID to serve as the COM server for this ‘rogue’ protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory,” the analysts explained.
“When the PrintSpooler attempts to load C:\Windows\System32\DriverStore\ FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.”
The JavaScript file applies a patch to the convertDevModeToPrintTicket function, which “invokes the ‘rogue’ search protocol handler’s CLSID during the call to RpcEndDocPrinter. This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions.”
Security updates fixing CVE-2022-38028 have been available for a year and a half and organizations should install them, Microsoft advises. If it’s not needed, disabling the Print Spooler service for domain controllers is also a good idea, the company says.
Vulnerabilities in the Windows Print Spooler service are often exploited by attackers, and this is the main reason why Microsoft is working on supplanting it with Windows Protected Print Mode (WPP).