Speagle Malware Hijacks Cobra DocGuard To Steal Data Through Vulnerable Servers
Cybersecurity researchers have flagged a malware called Speagle which steals the functionality and infrastructure of an official program called Cobra DocGuard.
“Speagle is designed to secretly harvest sensitive information from infected computers and transfer it to a Cobra DocGuard server that is compromised by attackers, disguising the data filtering process as a legitimate client-server communication,” Symantec and Carbon Black researchers said in a report published today.
Cobra DocGuard is a document security and encryption platform developed by EsafeNet. Exploitation of this software in real-world attacks has been publicly recorded twice so far. In January 2023, ESET wrote about the entry that the Hong Kong gambling company was compromised in September 2022 by a malicious update pushed by the software.
Later that August, Symantec highlighted the work of a new threat cluster called Carderbee, which was discovered using a trojan version of the program to exploit PlugX, a backdoor widely used by Chinese hacking groups such as Mustang Panda. The attack targeted many organizations in Hong Kong and other Asian countries.
Speagle remains unnamed until now. But what makes the malware noteworthy is that it is designed to collect and extract data from only those systems that have Cobra DocGuard data protection software installed. The work is followed under the moniker Runningcrab.
“This points to deliberate targeting, possibly to facilitate intelligence gathering or industrial espionage,” said Broadcom’s investigative team. “At this point, we believe that the most likely scenarios are either the work of a government-sponsored actor or the work of an independent contractor that can be hired.”
How the malware is delivered to victims is unknown, although it is suspected to be done through supply chain attacks, as evidenced by the two cases mentioned above.
In addition, the key role played by security software and its infrastructure needs to be mentioned. Speagle not only uses the official Cobra DocGuard command-control server (C2) and as a data filtering point, it also asks the driver associated with the program to delete itself from the compromised host.
The 32-bit .NET executable, when launched, first scans the Cobra DocGuard installation folder and proceeds to harvest and transfer data to the infected machine in stages. This includes information about the system and files found in certain folders, such as those containing web browser history and autofill data.
In addition, one variant of Speagle was found to include additional functionality to enable/disable certain types of data collection, as well as to search for files related to Chinese ballistic missiles such as the Dongfeng-27 (aka DF-27).
“Speagle is a novel, malicious threat that cleverly uses the Cobra DocGuard client to hide its malicious activity and its infrastructure to hide traffic,” the researchers said. “Its developer has no doubt seen previous attacks on the supply chain using the software and may have chosen it both because of its apparent vulnerability and the high level of use among the target organizations.”
