Speagle Malware Exploits Cobra DocGuard to Steal Sensitive Data via Compromised Servers
Cybersecurity researchers have identified a new malware strain named Speagle, which exploits the infrastructure of the legitimate Cobra DocGuard software to clandestinely extract sensitive information from infected systems. This sophisticated attack involves transmitting the stolen data to a compromised Cobra DocGuard server, effectively disguising the exfiltration process as routine communications between the client and server.
Cobra DocGuard, developed by EsafeNet, is a document security and encryption platform widely used for protecting sensitive documents. The software has previously been targeted in cyberattacks. In January 2023, ESET reported an incident where a Hong Kong-based gambling company was compromised through a malicious update of Cobra DocGuard. Later that year, in August, Symantec uncovered a threat group named Carderbee utilizing a trojanized version of Cobra DocGuard to deploy the PlugX backdoor, a tool commonly associated with Chinese hacking groups like Mustang Panda. These attacks primarily targeted organizations in Hong Kong and other parts of Asia.
The origins of Speagle remain unconfirmed. Notably, the malware specifically targets systems with Cobra DocGuard installed, suggesting a deliberate focus on intelligence gathering or industrial espionage. Researchers from Symantec and Carbon Black, who are monitoring this activity under the codename Runningcrab, propose that the operation could be the work of a state-sponsored entity or a private contractor available for hire.
The exact method of Speagle’s delivery to victim systems is still under investigation. However, given the history of supply chain attacks involving Cobra DocGuard, it’s plausible that a similar approach was employed. The malware leverages the legitimate Cobra DocGuard server for command-and-control operations and data exfiltration. Additionally, it utilizes a driver associated with Cobra DocGuard to erase itself from the compromised host, further concealing its presence.
Upon execution, the 32-bit .NET executable checks for the installation directory of Cobra DocGuard. It then proceeds to collect and transmit data from the infected machine in stages. This includes system details and files from specific folders, such as those containing web browser history and autofill data. Some variants of Speagle have been found with enhanced capabilities, allowing operators to toggle certain data collection activities and search for files related to Chinese ballistic missiles, like the Dongfeng-27 (DF-27).
Speagle represents a novel and parasitic threat that ingeniously exploits Cobra DocGuard’s client to mask its malicious activities and uses its infrastructure to conceal exfiltration traffic. The developers of Speagle likely observed previous supply chain attacks involving Cobra DocGuard and selected it for its perceived vulnerabilities and widespread use among targeted organizations.
