Microsoft Threat Intelligence has disclosed activities by the Russian-based threat actor Forest Blizzard, also known as APT28 or Fancy Bear, linked to GRU’s Unit 26165. Forest Blizzard has been exploiting CVE-2022-38028, a vulnerability in the Windows Print Spooler service, since at least June 2020 to deploy a custom malware known as GooseEgg. These attacks have been targeting sectors such as government, non-governmental organizations, education, and transportation across Ukraine, Western Europe, and North America. In addition to CVE-2022-38028, the group has exploited other critical vulnerabilities, including CVE-2023-23397 in Microsoft Outlook and CVE-2023-38831 in WinRAR.
GooseEgg, utilized by Forest Blizzard, is primarily employed to modify and execute a JavaScript constraints file to exploit the CVE-2022-38028 vulnerability with SYSTEM-level permissions. Microsoft patched this flaw in October 2022 following a report by the U.S. National Security Agency. The malware is executed using batch scripts such as execute.bat or doit.bat that establish persistence and elevate privileges through scheduled tasks. GooseEgg supports various commands that facilitate the execution of DLLs or executables with elevated privileges, effectively hiding its activity via custom protocol handlers and manipulating system directories and registry keys. For instance, it redirects the Print Spooler to load a malicious JavaScript from a directory controlled by the actor, enabling further exploitation to execute other malware with SYSTEM permissions.