Priya Patel
TLDR:
Key Points:
- Russia’s APT28 exploited a security flaw in the Windows Print Spooler component to deploy a newly discovered malware called GooseEgg.
- GooseEgg allowed threat actors to gain elevated access to target systems and steal credentials and information.
Russia’s APT28, also known as Fancy Bear and Forest Blizzard, utilized a security vulnerability in the Windows Print Spooler service to deliver GooseEgg malware, which was active since at least June 2020. The malware leveraged the now-patched flaw to escalate privileges and execute commands with elevated permissions. APT28, affiliated with the Russian military intelligence agency GRU, targeted government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America. GooseEgg was used to gain access to systems, steal credentials, and execute follow-on objectives like remote code execution and lateral movement within compromised networks.
The disclosure of GooseEgg comes in light of recent phishing attacks orchestrated by the Gamaredon actor targeting Ukraine and Poland. The attacks deliver iterations of GammaLoad malware, including VBS-based backdoors, executable payloads, and PowerShell-based tools. APT28’s extensive hacking activities, spanning nearly 15 years, demonstrate their ability to swiftly adopt public exploits and employ new tools and methods to facilitate ongoing operations.
Overall, the article highlights the sophisticated cyber espionage tactics employed by APT28 and other threat actors, emphasizing the importance of timely patching, proactive threat hunting, and secure coding practices to mitigate the risks associated with advanced persistent threats.
