Old Windows print spooler bug is latest target of Russia's Fancy Bear gang

Putin's pals use 'GooseEgg' malware to launch attacks you can defeat with patches or deletion

Russian spies are exploiting a years-old Windows print spooler vulnerability and using a custom tool called GooseEgg to elevate privileges and steal credentials across compromised networks, according to Microsoft Threat Intelligence.

Redmond's threat hunters on Monday published findings from the team's investigation into the specialty malware developed by Forest Blizzard (aka Fancy Bear) – the cyber espionage crew that the US and UK governments have linked to the Russian General Staff Main Intelligence Directorate (GRU).

"Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions," Microsoft warned.

This, as The Reg's loyal readers likely remember, is the same Russian crew that had been infecting home and small business routers with Moobot malware before the FBI and friends shut it down in January. 

But even after that court-authorized takedown – which involved neutralizing "well over a thousand" malware-laden routers – authorities from 11 nations warned that Forest Blizzard was probably already building another botnet for phishing, spying, credential harvesting, and data theft.

In today's report, the Microsoft threat intel team revealed they spotted the Kremlin-backed spies laying GooseEggs on Ukrainian, Western European, and North American targets in government, non-government, education, and transportation sectors.

Microsoft patched CVE-2022-38028 – a print spooler elevation of privilege bug – in October 2022. 

After the GRU-backed hacking team has exploited the vulnerability gain access to a targeted device, they use a batch script, usually named "execute[dot]bat" or "doit[dot]bat," to drop a GooseEgg executable, establish persistence on the network and run four commands:

The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the whoami command.

The DLL file – which according to Microsoft usually includes "wayzgoose" in the name – is a launcher application that can launch other payloads with SYSTEM-level permissions, thus enabling the spies to install a backdoor, move laterally through the victim's network, and remotely execute code.

It should go without saying, but if you haven't already got around to patching the October 2022 print spooler bug, do so ASAP – as well as the earlier fixes for PrintNightmare that Microsoft issued on June 8, 2021 and July 1, 2021

Additionally, Redmond suggests disabling print spooler on domain controllers, since this service isn't required for domain controller operations anyway.

There's a full list of threat hunting queries and indicators of compromise in the Monday alert, so check those, too. ®

More about


Send us news

Other stories you might like