Russia's Fancy Bear Pummels Windows Print Spooler Bug

A well-known Russian advanced persistent threat (APT) group has been using a custom tool to exploit a bug that been around for several years in the Windows Print Spooler service to elevate privileges and steal credentials in numerous intelligence-gathering attacks around the globe. It also appears to be paving the way for further attacks.

Fancy Bear (aka APT28, Forest Blizzard, Pawn Storm, Sofacy Group, and Strontium) is linked to the Russian General Staff Main Intelligence Directorate. It has been using a tool called GooseEgg since at least June 2020 and possibly as early as April 2019 to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service, Microsoft Threat Intelligence revealed in a blog post on April 22.

Microsoft patched the flaw, which allows an attacker who successfully exploits it to gain SYSTEM privileges, in October 2022. Fancy Bear is using GooseEgg to modify a JavaScript constraints file and execute it with SYSTEM-level permissions.

"While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks," according to the post.

Microsoft discovered Fancy Bear deploying GooseEgg in attacks against various Ukrainian, Western European, and North American government, nongovernmental, education, and transportation sector organizations.

Windows Print Spooler, a printer services technology, is a popular target for attackers, who tend to pounce on numerous flaws affecting the software that manages the printing process in Windows. The most well-known of these is two security vulnerabilities collectively called PrintNightmare that were discovered in late June 2021 and spawned a series of well-documented attacks.

GooseEgg Malware Tailored for Windows Print Spooler

That Fancy Bear targeted the service itself is not out of the ordinary, according to Microsoft; however, its use of the newly discovered GooseEgg to elevate privileges in these attacks is a novel threat activity for the group. GooseEgg is typically deployed with a batch script that invokes a corresponding GooseEgg executable and sets up persistence as a scheduled task.

The GooseEgg binary then takes one of four commands, each with different runpaths. "While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity," according to the post.

Two of the binary's commands trigger the exploit for the Print Spooler flaw and launch either a provided dynamic link library (DLL) or executable with elevated permissions, while another command tests the exploit and checks that it has succeeded.

The name of an embedded malicious DLL file launched by GooseEgg typically includes the phrase "wayzgoose," such as wayzgoose23.dll. That DLL as well as other components of the malware are deployed to one of several installation subdirectories created under the Windows directory C:\ProgramData, according to Microsoft Threat Intelligence.

The exploit ultimately replaces the C: drive symbolic link in the object manager to point to the newly created directory, resulting in Print Spooler being redirected to the actor-controlled directory containing the copied driver packages when it attempts to load this registry: C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js.

Eventually, the auxiliary DLL wayzgoose.dll file launches in the context of the PrintSpooler service with SYSTEM permissions as "a basic launcher application capable of spawning other applications" with the same permissions, according to the post.

Keeping Fancy Bear Cyber Espionage at Bay

Fancy Bear has a history of attacking known vulnerabilities, particularly in Microsoft products, to compromise targets for its nefarious activities — which primarily involve, but are not limited to, intelligence gathering. Last year, it mounted a flurry of cyber-espionage attacks against government agencies in NATO countries and organizations in the Middle East that exploited CVE-2023-23397, a zero-click vulnerability in Microsoft's Outlook email client.

While the group's most high-profile attack may be its ties to hacking aimed at running interference in the 2016 US presidential elections, the group has been most notably active of late in various attacks against Ukraine since Russia's war against the country began in February 2022.

The best way that organizations can protect themselves against attacks from the Russian APT is to apply patches for the vulnerable products that it targets. Microsoft recommended that users apply the CVE-2022-38028 security update to mitigate the GooseEgg threat against Windows Print Spooler; meanwhile, the Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

Another way to mitigate the issue is to disable the Windows Print Spooler service domain controller operations, since it isn't required, according to Microsoft. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Greg Fitzgerald, co-founder at Sevco Security, notes that printer bugs are particularly difficult to remediate because printers are often under-inventoried.

“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly it's these environmental vulnerabilities that create security gaps giving malicious actors access to data," Fitzgerald says. "These vulnerabilities are hiding in plain sight throughout IT environments, creating a landscape of threats that security teams can’t see, but are still accountable for. The unfortunate reality is that most organizations are unable to create an accurate IT asset inventory that reflects the entirety of their attack surface. This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”