In a recent advisory, Microsoft has issued a warning about the Russian APT28 threat group's exploitation of a Windows Print Spooler vulnerability. The group is utilizing a previously unknown hacking tool named GooseEgg to escalate privileges, steal credentials, and exfiltrate data.

Designed specifically to target the CVE-2022-38028 vulnerability, which was reported by the U.S. National Security Agency, GooseEgg allows APT28 to launch additional malicious tools and execute various commands with SYSTEM-level privileges. By deploying the tool as a Windows batch script named 'execute.bat' or 'doit.bat', the attackers gain persistence on compromised systems using a scheduled task that launches a second batch script called 'servtask.bat'.

One of the key functionalities of GooseEgg is dropping an embedded malicious DLL file, commonly referred to as 'wayzgoose23.dll', into the PrintSpooler service with SYSTEM permissions. This DLL acts as an app launcher, enabling the execution of other payloads with elevated privileges. Through this method, the threat actors can deploy backdoors, move laterally through networks, and execute remote code on compromised systems.

Microsoft has observed the APT28 group, also known as Forest Blizzard, utilizing GooseEgg in post-compromise activities against a range of targets, including government organizations in Ukraine, Western Europe, and North America. The affected sectors also include non-governmental organizations, education institutions, and transportation companies.

APT28 has established itself as a prominent hacking group over the years, with a history of high-profile cyber attacks. Last year, U.S. and U.K. intelligence services highlighted APT28's exploitation of a Cisco router zero-day vulnerability to deploy Jaguar Tooth malware and harvest sensitive information from targets in the U.S. and EU.

In February, a joint advisory by the FBI, the NSA, and international partners warned of APT28's utilization of hacked Ubiquiti EdgeRouters as a means to evade detection in their attacks. The group has also been linked to the breach of the German Federal Parliament and the hacks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) ahead of the 2016 U.S. Presidential Election.

Notably, APT28 members were charged by the U.S. in connection with the DNC and DCCC attacks, while the Council of the European Union imposed sanctions against APT28 members for their involvement in the German Federal Parliament hack.

As Microsoft urges users to apply necessary patches and stay vigilant against such threats, it serves as a reminder of the ongoing efforts by state-sponsored hacking groups to exploit vulnerabilities and infiltrate critical systems.