Forest Blizzard, a Russian APT group, has used a custom GooseEgg tool since at least June 2020 to exploit CVE-2022-38028 vulnerability in Windows Print Spooler.
GooseEgg modifies a JavaScript constraints file to gain SYSTEM-level permissions and steal credentials, allowing further actions like remote code execution and lateral movement.
GooseEgg is unique and has not previously been reported by security providers, while applying the security update for CVE-2022-38028 and using antivirus that detects GooseEgg are recommended to mitigate the threat.
Forest Blizzard, a threat actor linked to Russia’s GRU intelligence agency, targets government, energy, transportation, and NGO organizations globally for intelligence collection aligned with Russian foreign policy.
They exploit vulnerabilities to gain access to systems and potentially steal credentials or deploy malware for further compromise, as their activity has been documented since at least 2010 and various names like APT28, Sednit, Sofacy, and Fancy Bear are used to refer to them.
They are also potentially linked to Russia’s GRU, which is deploying custom malware named GooseEgg, which exploits a vulnerability (CVE-2022-38028) in the Windows Print Spooler to gain elevated access on target systems.
Once escalated, GooseEgg can be used to steal credentials and information, while Forest Blizzard is known to target various sectors, including government, education, and transportation, and their tactics, techniques, and procedures (TTPs) can evolve over time.
Forest Blizzard uses GooseEgg malware for privilege escalation after compromising a system. through batch scripts (execute.bat, doit.bat), GooseEgg establishes persistence by creating a scheduled task that runs servtask.bat, a script potentially used for exfiltrating data.
The GooseEgg binary (justice.exe, DefragmentSrv.exe, etc.) accepts four commands: One returns a custom code, likely a version number.
Two commands exploit a vulnerability to launch a supplied DLL or executable with elevated privileges. The final command verifies exploit success using “whoami.”.
Malicious actors are deploying a DLL file, often named “wayzgoose23.dll,” along with other components.
The installation directory is created under C:\ProgramData with various names mimicking legitimate software vendors (e.g., Adobe, Kaspersky Lab) or a randomly generated format string.
According to Microsoft, the malware then copies specific driver stores (pnms003.inf_*, pnms009.inf_*) to this directory, potentially indicating an attempt to manipulate system drivers.
Attackers exploit a vulnerability in the Print Spooler service by creating a custom protocol handler and registering a new COM server and then manipulate the system to load a malicious version of a legitimate driver file (MPDW-Constraints.js).
The modified file triggers the loading of a malicious DLL (wayzgoose.dll) with SYSTEM privileges when the Print Spooler service attempts to use the spoofed driver. wayzgoose.dll allows attackers to execute any program with the highest permissions, enabling them to install backdoors, spread laterally, and remotely execute code on the compromised system.
Indicators of Compromise
Batch script artifacts:
- execute.bat
- doit.bat
- servtask.bat
- 7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9
GooseEgg artifacts:
- justice.pdb
- wayzgoose.pdb
| Indicator | Type | Description |
| c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5 | SHA-256 | Hash of GooseEgg binary DefragmentSrv.exe |
| 6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f | SHA-256 | Hash of GooseEgg binary justice.exe |
| 41a9784f8787ed86f1e5d20f9895059dac7a030d8d6e426b9ddcaf547c3393aa | SHA-256 | Hash of wayzgoose[%n].dll – where %n is a random number |
.webp?w=1200&resize=1200,0&ssl=1&description=The GooseEgg binary (justice.exe, DefragmentSrv.exe, etc.) accepts four commands: One returns a custom code, likely a version number.){kind=link}