Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers

Cybersecurity experts have discovered a new piece of malware called Speagle that takes over the features and infrastructure of a real program called Cobra DocGuard This article explores speagle malware interesting. . Researchers from Symantec and Carbon Black said in a report published today that "Speagle is designed to secretly collect sensitive information from infected computers and send it to a Cobra DocGuard server that has been hacked by the attackers, hiding the data exfiltration process as normal communications between client and server."

EsafeNet made Cobra DocGuard, a platform for encrypting and securing documents. There have been two public reports of this software being used in real-life attacks. In January 2023, ESET reported an attack in which a Hong Kong gambling company was hacked in September 2022 by a bad update that the software sent out.

In August of that year, Symantec drew attention to a new threat group called Carderbee, which was using a hacked version of the program to spread PlugX, a backdoor that Chinese hacking groups like Mustang Panda use a lot. The attacks hit a number of businesses in Hong Kong and other Asian countries. As of now, no one knows who Speagle is.

The malware is interesting because it only works on systems that have the Cobra DocGuard data protection software installed. Runningcrab is keeping an eye on the activity. "This shows that the target was chosen on purpose, maybe to help gather intelligence or for industrial espionage," said the threat hunting teams owned by Broadcom.

"Right now, we think the most likely explanations are that it was done by a state-sponsored actor or a private contractor who is available for hire." We don't know exactly how the malware gets to its victims, but the two cases mentioned above suggest that it may have been done through a supply chain attack. Also, it's important to note how important the security software and its infrastructure are.

Speagle uses a real Cobra DocGuard server for command-and-control (C2) and as a place to steal data. It also uses a driver that is linked to the program to delete itself from the compromised host.

When you run the 32-bit .NET executable, it first looks in the Cobra DocGuard installation folder. Then, in stages, it collects and sends data from the infected machine. This includes information about the system and files in certain folders, like those that hold autofill data and web browser history.

In addition, one version of Speagle has been found to have extra features that let you turn on and off certain types of data collection and search for files about Chinese ballistic missiles like Dongfeng-27 (DF-27). Researchers said, "Speagle is a new, parasitic threat that cleverly uses Cobra DocGuard's client to hide its bad behavior and its infrastructure to hide exfiltration traffic."

The developer of the software probably saw that it had been used in previous supply chain attacks and may have chosen it because it was thought to be weak and was widely used by the organizations they were targeting.