HackTool:Win64/GooseEgg.A!dha

GooseEgg is typically deployed with a batch script, which was observed to use the name execute.bat and doit.bat. The batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script also invokes the paired GooseEgg executable and sets persistence as a scheduled task designed to run servtask.bat.

The GooseEgg binary, including but not limited to the file names justice.exe and DefragmentSrv.exe, supports one of four commands with respective run paths. While the binary appears to launch a trivial command, the binary likely does this to help conceal the activity.

The first command issues a custom return code 0x6009F49F and exits, which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or an executable with elevated permissions. The fourth command tests the exploit and checks that it has succeeded using the whoami command.

The name of an embedded malicious DLL file typically includes “wayzgoose”, for example, wayzgoose23.dll. This DLL, as well as other malware components, are deployed to one of the following installation subdirectories (created under C:\ProgramData):

• Adobe
• Bitdefender
• Comms
• ESET
• Intel
• Kaspersky Lab
• Microsoft
• NVIDIA
• Steam
• UbiSoft

A specially crafted subdirectory with randomly generated numbers and the format string \v%u.%02u.%04u are also created to serve as the install directory. For example, a directory that looks like C:\ProgramData\Adobe\v2.116.4405 might be created. The binary then copies the following driver stores to the directory:

• C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*
• C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*

Registry keys are then created, generating a custom protocol handler and registering a new CLSID to serve as the Component Object Model (COM) server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the new directory. When the Print Spooler attempts to load C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js, it instead redirects to the threat actor-controlled directory containing the copied driver packages.

The malware patches a function to invoke the rogue search protocol and launch the auxiliary DLL wayzgoose.dll in the context of the Print Spooler service with SYSTEM permissions. This DLL is a basic launcher that spawns other applications with SYSTEM-level permissions, which allows threat actors to perform malicious activities such as backdoor installation, lateral movement through compromised networks, and remote code execution.