Russias Fancy Bear Pummels Windows Print Spooler Bug

The infamous Russian threat actor has created a custom tool called GooseEgg to exploit CVE-2022-38028 in cyber-espionage attacks against targets in Ukraine, Western Europe, and North America.

A well-known Russian advanced persistent threat (APT) group has been using a custom tool to exploit a bug that been around for several years in the
Windows Print Spooler
service to elevate privileges and steal credentials in numerous intelligence-gathering attacks around the globe. It also appears to be paving the way for further attacks.
Fancy Bear
(aka
APT28
, Forest Blizzard, Pawn Storm, Sofacy Group, and Strontium) is linked to the Russian General Staff Main Intelligence Directorate. It has been using a tool called GooseEgg since at least June 2020 and possibly as early as April 2019 to exploit the
CVE-2022-38028
vulnerability in Windows Print Spooler service, Microsoft Threat Intelligence revealed
in a blog post
on April 22.
Microsoft patched the flaw, which allows an attacker who successfully exploits it to gain SYSTEM privileges, in October 2022. Fancy Bear is using GooseEgg to modify a
JavaScript constraints file
and execute it with SYSTEM-level permissions.
While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks, according to the post.
Microsoft discovered Fancy Bear deploying GooseEgg in attacks against various Ukrainian, Western European, and North American government, nongovernmental, education, and transportation sector organizations.
Windows Print Spooler, a printer services technology, is
a popular target
for attackers, who
tend to pounce
on numerous flaws affecting the software that manages the printing process in Windows. The most well-known of these is two
security vulnerabilities collectively called PrintNightmare
that were discovered in late June 2021 and spawned a series of well-documented attacks.
That
Fancy Bear
targeted the service itself is not out of the ordinary, according to Microsoft; however, its use of the newly discovered GooseEgg to elevate privileges in these attacks is a novel threat activity for the group. GooseEgg is typically deployed with a batch script that invokes a corresponding GooseEgg executable and sets up persistence as a scheduled task.
The GooseEgg binary then takes one of four commands, each with different runpaths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity, according to the post.
Two of the binarys commands trigger the exploit for the Print Spooler flaw and launch either a provided dynamic link library (DLL) or executable with elevated permissions, while another command tests the exploit and checks that it has succeeded.
The name of an embedded malicious DLL file launched by GooseEgg typically includes the phrase wayzgoose, such as wayzgoose23.dll. That DLL as well as other components of the malware are deployed to one of several installation subdirectories created under the Windows directory C:ProgramData, according to Microsoft Threat Intelligence.
The exploit ultimately replaces the C: drive symbolic link in the object manager to point to the newly created directory, resulting in Print Spooler being redirected to the actor-controlled directory containing the copied driver packages when it attempts to load this registry: C:WindowsSystem32DriverStoreFileRepositorypnms009.inf_amd64_a7412a554c9bc1fdMPDW-Constraints.js.
Eventually, the auxiliary DLL wayzgoose.dll file launches in the context of the PrintSpooler service with SYSTEM permissions as a basic launcher application capable of spawning other applications with the same permissions, according to the post.
Fancy Bear has a history of attacking known vulnerabilities, particularly in Microsoft products, to compromise targets for its nefarious activities — which primarily involve, but are not limited to, intelligence gathering. Last year, it mounted a flurry of
cyber-espionage attacks
against government agencies in NATO countries and organizations in the Middle East that exploited CVE-2023-23397, a zero-click vulnerability in Microsofts Outlook email client.
While the groups most high-profile attack may be its ties to hacking aimed at
running interference
in the 2016 US presidential elections, the group has been most notably active of late in various attacks
against Ukraine
since Russias war against the country began in February 2022.
The best way that organizations can protect themselves against attacks from the Russian APT is to apply patches for the vulnerable products that it targets. Microsoft recommended that users apply the
CVE-2022-38028 security update
to mitigate the GooseEgg threat against Windows Print Spooler; meanwhile, the Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.
Another way to mitigate the issue is to disable the Windows Print Spooler service domain controller operations, since it isnt required, according to Microsoft. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a
built-in security assessment
that tracks the availability of Print Spooler services on domain controllers.
Greg Fitzgerald, co-founder at Sevco Security, notes that printer bugs are particularly difficult to remediate because printers are often under-inventoried.
“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly its these environmental vulnerabilities that create security gaps giving malicious actors access to data, Fitzgerald says. These vulnerabilities are hiding in plain sight throughout IT environments, creating a landscape of threats that security teams can’t see, but are still accountable for. The unfortunate reality is that most organizations are unable to create an accurate IT asset inventory that reflects the entirety of their attack surface. This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russias Fancy Bear Pummels Windows Print Spooler Bug