Russian State Hackers Leverage New GooseEgg Malware

is utilized solely by a group known as 'Forest Blizzard,' closely associated by the US and UK governments with 's military intelligence agency, GRU Unit 26165.

by Editorial April 23, 2024 in Cybersecurity News, Firewall Daily Reading Time: 3 mins read 0

591 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

researchers uncovered a new tool in the ' arsenal that helped them gain elevated access, pilfer credentials and allowed lateral movement within compromised networks. Dubbed GooseEgg malware, this sophisticated tool exploits a vulnerability identified as CVE-2022-38028 in the service, responsible for managing printing processes.

Redmond fixed the vulnerability that gave attackers system privileges in its October 2022 Patch Tuesday stating the bug's exploitation is “most likely.” It is yet to flag the flaw as actively exploited in its assessment. 

Hackers Leverage the GooseEgg Malware to Exploit Windows Devices

GooseEgg malware is exclusively used by a group that the tech giant tracks as “Forest Blizzard,” which the United States and United Kingdom governments closely links to the Unit 26165 of Russia's military intelligence agency, the GRU. 

Forest Blizzard, also known as Fancy Bear and APT28, has deployed GooseEgg since at least June 2020, targeting state, non-governmental, educational and transportation entities across Ukraine, Western Europe and North America, Microsoft said. 

“The use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” Redmond said.

Upon gaining access to a target device, Forest Blizzard used GooseEgg to escalate privileges within the network. Although GooseEgg itself functions as a basic launcher application, it enables attackers to execute remote code, implant backdoors and traverse compromised networks laterally.

The Rise of Forest Blizzard Hackers

Forest Blizzard additionally exploits other vulnerabilities including CVE-2023-23397, which impacts all versions of Microsoft Outlook software on Windows devices and is known to be exploited. This critically rated bug allows attackers to steal the Net-NTLM hash from the victims, enabling the attackers to assume a victim identity and to move deeper into the organization. 

In a December warning, Microsoft cautioned that Forest Blizzard was leveraging the Microsoft Outlook bug to illicitly access email accounts within Microsoft Exchange servers since April 2022.  

Forest Blizzard primarily targets government, energy, transportation and non-governmental organizations in the United States, Europe and the Middle East but Microsoft said it had observed the GRU hackers focus shift to media, information technology, sports organizations and educational institutions worldwide.  

“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said. 



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button