A Russian nation-state threat actor has been observed exploiting a vulnerability in Microsoft Windows Print Spooler to deploy malware in attacks targeting government, non-governmental, education, and transportation sector organizations in Ukraine, West Europe and North America.

Tracked as CVE-2022-38028, the vulnerability is a privilege escalation issue that has been exploited in the wild since at least June 2020 and possibly as early as April 2019. The flaw was addressed by Microsoft as part of October 2022 Patch Tuesday.

According to Microsoft’s threat intelligence team, the group, tracked as APT28, Fancy Bear and Forest Blizzard (formerly Strontium), is using the GooseEgg malware as part of post-compromise activities. The tool is capable of executing commands with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.

“GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat,” Microsoft explained in a technical write-up.

The threat actor also uses GooseEgg to drop an embedded malicious DLL file (in some cases named 'wayzgoose23.dll'), which is a basic launcher app, in the context of the PrintSpooler service with SYSTEM permissions.

Previously, the APT28 group was observed weaponizing a Microsoft Outlook elevation of privilege vulnerability (CVE-2023-23397) in attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe. 

In January 2024, the threat actor launched a phishing campaign aimed at obtaining Ukrainian military personnel's credentials that would give it access to the country’s military situational awareness and command and control systems.