Hackers abuse Windows Print Spooler vulnerabilities because it runs with elevated SYSTEM privileges, allowing privilege escalation.
Also, exploiting it enables remote code execution and credential theft.
Microsoft exposed the Russian threat actor Forest Blizzard (aka APT28, Sednit, Sofacy, and Fancy Bear), who has been using a custom tool called GooseEgg to elevate privileges and steal credentials by exploiting the CVE-2022-38028 PrintSpooler vulnerability since at least 2020.
Windows Print Spooler Vulnerability
Targeting government, education, and transportation sectors across Ukraine, Europe, and North America, Forest Blizzard leverages GooseEgg for post-compromise activities like remote code execution and lateral movement.
Although simple, GooseEgg’s ability to spawn elevated processes enables the pursuit of further malicious objectives.
Linked to Russia’s GRU intelligence agency, Forest Blizzard differs from other destructive GRU groups.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
After gaining initial access, Forest Blizzard uses GooseEgg to elevate privileges, typically deploying it via batch scripts like execute.bat or doit.bat, which set up persistence, Microsoft said.
While concealing activities, GooseEgg exploits CVE-2022-38028 to run malicious DLLs (often “wayzgoose”) or executables with SYSTEM permissions.
It copies driver stores to directories, mimicking software vendors under C:ProgramData for staging payloads.
Besides this, from the list below, a subdirectory name is selected:-
- Microsoft
- Adobe
- Comms
- Intel
- Kaspersky Lab
- Bitdefender
- ESET
- NVIDIA
- UbiSoft
- Steam
GooseEgg’s commands enable checking exploit success, custom version identification, and privilege escalation – supporting Forest Blizzard’s ultimate objectives of credential theft and maintaining elevated access on compromised targets.
After exploiting PrintSpooler, GooseEgg creates registry keys to register a rogue protocol handler and COM server.
It replaces the C: drive symbolic link to redirect PrintSpooler into loading a malicious MPDW-Constraints.js file patched to invoke the rogue protocol during RpcEndDocPrinter.
This launches the wayzgoose.dll malware with SYSTEM privileges.
This DLL is a simple launcher capable of spawning any application with elevated permissions. It enables the threat actor to install backdoors, move laterally, and execute code remotely on compromised systems.
By detailing these complex techniques, Microsoft exposes how Forest Blizzard abuses legitimate utilities to execute code and maliciously escalate privileges.
Recommendations
Here below we have mentioned all the recommendations:-
- Harden credentials based on on-premises credential theft overview.
- Activate EDR in block mode for proactive threat blocking.
- Enable automated investigation and remediation for quick response.
- Utilize cloud-delivered protection for up-to-date defense.
- Block LSASS credential stealing.
- Detect CVE-2021-34527 Print Spooler exploitation.
- Search for suspicious files in ProgramData.
- Identify processes creating scheduled tasks.
- Look for constrained JavaScript files.
- Monitor registry key and value creation.
- Search for custom protocol handler activity.
IoCs
%20(1).webp)
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.