In a significant cybersecurity development, a malware named Speagle has been identified, targeting users of Cobra DocGuard. This platform, created by Chinese firm EsafeNet, is widely used for document encryption and security. Speagle’s emergence highlights the increasing sophistication of cyber threats, particularly those aimed at exploiting trusted software systems.
Malware Embedded in Trusted Software
Speagle’s design allows it to seamlessly integrate into its environment, leveraging Cobra DocGuard’s infrastructure to carry out its malicious activities. Unlike typical malware, Speagle focuses on extracting highly confidential information, specifically documents related to Chinese defense technologies, such as ballistic missiles.
Cobra DocGuard has previously been exploited in cyberattacks. In September 2022, it was part of a supply chain attack against a gambling firm in Hong Kong. More recently, in August 2023, a hacker group dubbed Carderbee used the platform to deploy the Korplug backdoor across Asia, underscoring the persistent vulnerabilities within Cobra DocGuard.
Technical Insights and Threat Actors
Symantec researchers have categorized Speagle as a 32-bit .NET executable, operational only on systems with Cobra DocGuard installed. The malware is attributed to a group named Runningcrab, though its ties to other known threat actors remain unverified. Analysts suggest the perpetrators could be either a state-sponsored entity or a proficient private operator, given the targeted nature of their attacks.
The exact method of infection is still under investigation, but indications point to a possible supply chain attack. Speagle uses Cobra DocGuard’s legitimate FileLock driver for self-removal post-operation, aligning with tactics seen in Trojanized software scenarios.
Data Collection and Exfiltration Techniques
Speagle’s data extraction process begins by verifying Cobra DocGuard’s presence through specific registry keys. It then proceeds through multiple collection phases, initially gathering system identifiers, followed by an analysis of running processes and network connections. In its final phase, it targets browser data, searching for defense-related terms in Chinese, such as ‘Dongfeng’ and ‘Changjian’.
After data is compiled, Speagle compresses and encrypts it before sending it to a compromised Cobra DocGuard server via HTTP POST requests. This method ensures that exfiltration traffic appears routine, leveraging the server’s legitimate communication pathways.
Protective Measures and Recommendations
Organizations using Cobra DocGuard are advised to scrutinize outgoing network traffic for unusual connections, particularly to IP addresses 60.30.147[.]18 and 222.222.254[.]165. Updating endpoint detection tools to recognize Speagle’s known hashes is crucial. Administrators should also regularly verify server integrity and review update channels for unauthorized changes.
Keeping abreast of cybersecurity threats is essential. Follow us on Google News, LinkedIn, and X to receive up-to-date information, and set CSN as your preferred source for reliable tech news.
