The cybercrime group Fancy Bear, which in the West is associated with Russia, took advantage of a vulnerability in the Windows print service component to load a previously unknown malware into the system — goosegg.
This malware has been active since June 2020 and uses an already fixed bug that allows you to increase privileges (CVE-2022-38028, 7.8 CVSS points).
In October 2022, Microsoft fixed the vulnerability in updates.
According to information obtained from the Microsoft cyber intelligence team, the APT28 spy group, also known as Fancy Bear, used this bug in attacks on Ukrainian, Western European and North American governmental, non-governmental, educational and transport organizations.
According to the company, hackers delivered the malware by modifying the JavaScript restrictions file and executing it with SYSTEM-level permissions.
Despite its simplicity, the Goosegg launcher is capable of spawning other applications specified on the command line with elevated rights, which allows attackers to develop their attacks: remotely execute code, install a backdoor, and navigate compromised networks.
In recent months, APT28 also exploited a privilege escalation vulnerability in Microsoft Outlook (CVE-2023-23397, CVSS: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS: 7.8), which indicates their ability to quickly implement public exploits in their work.
Microsoft said that using Goosegg, attackers want to gain privileged access to target systems and steal credentials and information.
The goosegg binary file supports commands to run an exploit and load either the provided Dynamic Link library (DLL) or an elevated executable file. Using the whoami command, it also checks whether the exploit was successfully activated.
Experts drew attention to the GOOSEGG attacks after IBM X-Force discovered new phishing attacks organized by the Gamaredon hacker (aka Aqua Blizzard, Hive0051 and UAC-0010) aimed at Ukraine and Poland, which deliver new iterations of the GammaLoad malware.
Earlier this month, IBM X-Force researchers reported that attackers rotate the infrastructure through synchronized DNS floods over several channels, including Telegram, Telegraph, and Filetransfer.io., which indicates a potential increase in the attacker's resources and capabilities. This clearly accelerates the pace of operations.
This malware has been active since June 2020 and uses an already fixed bug that allows you to increase privileges (CVE-2022-38028, 7.8 CVSS points).
In October 2022, Microsoft fixed the vulnerability in updates.
According to information obtained from the Microsoft cyber intelligence team, the APT28 spy group, also known as Fancy Bear, used this bug in attacks on Ukrainian, Western European and North American governmental, non-governmental, educational and transport organizations.
According to the company, hackers delivered the malware by modifying the JavaScript restrictions file and executing it with SYSTEM-level permissions.
Despite its simplicity, the Goosegg launcher is capable of spawning other applications specified on the command line with elevated rights, which allows attackers to develop their attacks: remotely execute code, install a backdoor, and navigate compromised networks.
In recent months, APT28 also exploited a privilege escalation vulnerability in Microsoft Outlook (CVE-2023-23397, CVSS: 9.8) and a code execution bug in WinRAR (CVE-2023-38831, CVSS: 7.8), which indicates their ability to quickly implement public exploits in their work.
Microsoft said that using Goosegg, attackers want to gain privileged access to target systems and steal credentials and information.
The goosegg binary file supports commands to run an exploit and load either the provided Dynamic Link library (DLL) or an elevated executable file. Using the whoami command, it also checks whether the exploit was successfully activated.
Experts drew attention to the GOOSEGG attacks after IBM X-Force discovered new phishing attacks organized by the Gamaredon hacker (aka Aqua Blizzard, Hive0051 and UAC-0010) aimed at Ukraine and Poland, which deliver new iterations of the GammaLoad malware.
Earlier this month, IBM X-Force researchers reported that attackers rotate the infrastructure through synchronized DNS floods over several channels, including Telegram, Telegraph, and Filetransfer.io., which indicates a potential increase in the attacker's resources and capabilities. This clearly accelerates the pace of operations.
