HomeWinBuzzer NewsMicrosoft Identifies Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Microsoft Identifies Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Russian APT28 exploited a Windows flaw (CVE-2022-38028) since 2020 with a tool named GooseEgg to steal data.


has disclosed that the Russian cyber espionage group, known as APT28 or Fancy Bear, has been exploiting a vulnerability in the Windows Print Spooler service, which previously was responsible for the PrintNightmare security issue. The group, which operates under the Russian military unit 26165 of the GRU, has utilized a previously unknown tool dubbed GooseEgg to escalate privileges, steal credentials, and exfiltrate data. The vulnerability, identified as CVE-2022-38028, has been under attack by APT28 since at least June 2020, with potential activities tracing back to April 2019. Microsoft addressed this security flaw in their October 2022 Patch Tuesday updates, following a report from the U.S. Agency.

The Mechanics of the Attack

APT28's deployment of GooseEgg involves the execution of a Windows batch script, either named ‘execute.bat' or ‘doit.bat', which then launches the GooseEgg executable. This action facilitates the attackers' ability to maintain persistence on the compromised system through a scheduled task named ‘servtask.bat'. Additionally, GooseEgg is used to inject a malicious DLL, occasionally referred to as ‘wayzgoose23.dll', into the PrintSpooler service with SYSTEM permissions. This DLL functions as an app launcher, capable of executing further payloads with elevated privileges, thereby enabling the attackers to install backdoors, navigate through victims' networks, and execute remote code on the affected systems.

Historical Context and Implications

APT28 has a notorious history of engaging in high-profile cyberattacks. Notably, the group exploited a Cisco router zero-day to deploy Jaguar Tooth malware, targeting sensitive information within the U.S. and EU. Furthermore, APT28 was implicated in the breaches of the German Federal Parliament, the Democratic Congressional Campaign Committee (DCCC), and the Democratic National Committee (DNC) ahead of the 2016 U.S. Presidential Election. The U.S. and the Council of the European Union have taken legal actions against members of APT28, underscoring the significant threat this group poses to global .

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News