Fancy Bear, an advanced persistent threat (APT28) group linked to the Russian Intelligence Directorate, has been abusing Windows Print Spooler service the elevate privileges and steal credentials. The group has been using a tool called GooseEgg since about June 2020 to exploit CVE-2022-38028.
GooseEgg is being used to modify a JavaScript file and execute it with system-level permissions. The flaw, which was patched in October 2022, was being exploited to elevate permissions of attackers to launch additional phases of attack. This could allow them to install a backdoor or perform remote code execution.
Fancy Bear has been using the tool to target Western Europe, Ukranian, and American government, transportation, and educational industries.
The Windows Print Spooler service has been a popular target for years, at least as far back as MS-10-061 (2010). One of these well-known attacks, PrintNightmare, was discovered in June of 2021 which spawned a series of well-known proof-of-concept tutorials. Fancy Bear often targets the spooler service but what stands out is the use of GooseEgg to elevate privileges.
The binary will launch one of four commands in a unique way. Each has their own runpath and is run in a unique way, likely to conceal the activity. The binary’s command triggers the exploit in the print spooler flaw which then launches either an included DLL or executable with elevated permissions.
When I formally started my career in 2008 Fancy Bear was the first threat group I was briefed on. I remember the threat analyst giving us the brief about their operations and thinking to myself, “this is what I want to do for a living, find the bad guy!”
Remember, update those Windows systems!