Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
23-Apr-24
APT28, also known as Fancy Bear or Forest Blizzard, exploited a Windows Print Spooler flaw (CVE-2022-38028) to deploy a custom malware called GooseEgg. This post-compromise tool, active since at least June 2020, allows for privilege escalation and has been used in attacks targeting government, education, and transportation sectors in Ukraine, Western Europe, and North America. Affiliated with Russia’s military intelligence agency, APT28 aims for intelligence collection to support Russian foreign policy. They’ve recently exploited other vulnerabilities like CVE-2023-23397 in Microsoft Outlook and CVE-2023-38831 in WinRAR. Meanwhile, IBM X-Force reported phishing attacks by the Gamaredon actor targeting Ukraine and Poland with new iterations of the GammaLoad malware, showcasing evolving tactics and capabilities.
