Cobra DocGuard Hijacked By Speagle Malware For Sensitive Data Theft

Researchers from Symantec and Carbon Black have found a new infostealer called Speagle that is hard to see This article explores speagle hard malware. . This malware takes over Cobra DocGuard, a real document security platform made by the Chinese company EsafeNet, and uses it to secretly steal and send sensitive data.

Speagle hides its data theft as normal network traffic by talking to a hacked Cobra DocGuard server. Some versions of this malware are very targeted, looking for documents about Chinese ballistic missiles on infected computers. Technical Execution and Gathering of Data Speagle is a 32-bit .NET executable that starts its attack by finding the Cobra DocGuard installation directory using certain registry keys or a hardcoded path.

Once the malware is in place, it collects data in three steps, trying to exfiltrate it after each step to make sure it is at least partially successful even if it is stopped. Speagle collects basic information about the system, like the Windows user name, host name, and certain client identification tokens, from Cobra DocGuard configuration files in the first phase. The malware takes this stolen information and puts it into an XML structure, compresses it with the Deflate algorithm, and encrypts it with AES-128 in CBC mode.

The encrypted data is then sent to a compromised Cobra DocGuard server hosted by the targeted organization using HTTP POST requests. This makes it look like normal network activity.

In the second phase, Speagle adds to its collection by running Windows Management Instrumentation queries to find out more about the system environment, such as network settings, running processes, and attached drives. One version of Speagle looks for files that have to do with Chinese ballistic missiles (Source: security). It scans local and network drives over and over again, focusing on user directories to make lists of file names and sizes.

In the third phase, the malware looks for SQLite databases in the application data directory that are linked to browser history, autofill information, downloads, and bookmarks. This is done by looking for browser history, autofill information, downloads, and bookmarks. The malware takes this private data and puts it into its own data structure so it can be sent. One version of Speagle goes even further by actively looking for specific keywords related to aerospace, composite materials, and Dongfeng ballistic missiles.

Threats and ways to get around them in the supply chain The precise initial vector of infection for Speagle remains unverified. Researchers think it might be spread through a supply chain attack, though. The malware depends a lot on the security Cobra DocGuard infrastructure, like its self-deletion driver and command-and-control servers.

This strongly suggests that the threat could have been sent as a trojanized software update. Supply chain attacks have used Cobra DocGuard in the past, most notably by advanced persistent threat groups like Carderbee in 2022 and 2023. The people behind Speagle are currently being tracked under the name Runningcrab. They show clear targeting, which suggests either state-sponsored industrial espionage or a very skilled private contractor.