A new malware, identified as Speagle, has been reported to exploit the legitimate software Cobra DocGuard to facilitate data theft from compromised systems. Researchers from Symantec and Carbon Black detailed that Speagle is engineered to covertly collect sensitive information and transmit it to a compromised Cobra DocGuard server, disguising the data exfiltration as normal communications.
Details of the Attack
Cobra DocGuard, developed by EsafeNet, is a document security and encryption platform. This software has previously been involved in security incidents, including a notable case in January 2023 where a gambling company in Hong Kong was compromised through a malicious update. Additionally, in August 2022, a threat cluster known as Carderbee was documented using a trojanized version of Cobra DocGuard to deploy the PlugX backdoor, targeting various organizations in Hong Kong and other Asian regions.
Targeted Systems and Data Exfiltration
Speagle specifically targets systems that have the Cobra DocGuard software installed, indicating a focused approach likely aimed at intelligence gathering or industrial espionage. The activity associated with Speagle is being tracked under the name Runningcrab. The precise delivery method of the malware remains unclear, but it is suspected to involve a supply chain attack, similar to previous incidents involving Cobra DocGuard.
Malware Functionality
The malware utilizes a legitimate Cobra DocGuard server for command-and-control (C2) operations and data exfiltration. Upon execution, the 32-bit .NET executable checks the installation directory of Cobra DocGuard and begins to collect and transmit data in phases. This includes system details and files from specific directories, such as web browser history and autofill data. Notably, one variant of Speagle has been observed with the ability to toggle certain data collection features and search for files related to Chinese ballistic missiles.
Conclusion and Implications
Researchers have characterized Speagle as a novel threat that cleverly disguises its malicious activities by leveraging the infrastructure of Cobra DocGuard. The choice of this software suggests that its developers may have recognized its vulnerabilities and the prevalence of its use among targeted organizations.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
