Speagle Malware - Hijacks Cobra DocGuard to Steal Data

What Happened

A newly identified malware called Speagle has emerged as a significant threat, specifically targeting organizations using Cobra DocGuard, a document security and encryption platform developed by EsafeNet. This infostealer malware is designed to blend seamlessly into its host environment, using the very software it targets to cover its data theft operations. Unlike typical malware, Speagle actively seeks out files related to highly sensitive subjects, including documents about Chinese ballistic missiles.

Cobra DocGuard has a concerning security history, having been exploited in past attacks. For instance, in September 2022, attackers used it in a supply chain attack against a gambling company in Hong Kong. Again, in August 2023, a threat actor known as Carderbee exploited the platform to deploy the Korplug backdoor against organizations in Hong Kong and parts of Asia. This pattern of exploitation has made Cobra DocGuard a frequent target for cybercriminals.

How It Works

Speagle operates as a 32-bit .NET executable and only functions fully on systems where Cobra DocGuard is installed. The threat actor behind Speagle has been named Runningcrab, although there is no confirmed link to any known threat groups. Analysts suggest that the malware is likely the work of either a state-sponsored actor or a skilled private contractor, given its specific targeting of Cobra DocGuard users and focus on defense-related documents.

The infection vector remains unclear, but early indicators suggest a possible supply chain attack. Speagle cleverly uses a legitimate Cobra DocGuard driver, the FileLock driver, to remove itself after completing its operations. This self-deletion technique is indicative of Trojanized software updates, showcasing the attacker's familiarity with the internal components of the software.

Who's Being Targeted

Organizations that utilize Cobra DocGuard are at high risk. Speagle confirms the presence of Cobra DocGuard by checking specific Windows registry keys. Once confirmed, it embarks on a structured, multi-phase data collection process. The first phase involves gathering the machine’s username, hostname, and unique Cobra DocGuard client identifiers. If no valid client ID is found, Speagle triggers its self-delete routine and exits.

In the second phase, Speagle collects extensive system information, including running processes, network connections, and installed services. The third phase targets browser data, pulling details such as browsing history and saved passwords. Notably, one variant of Speagle searches for documents using Chinese-language keywords related to defense technology, indicating a targeted approach.

How to Protect Yourself

Organizations running Cobra DocGuard should take immediate action. They need to audit outbound network traffic for unexpected connections to specific IP addresses associated with Speagle. It is crucial to update endpoint detection tools to flag Speagle’s known file hashes. Additionally, administrators should verify the integrity of their Cobra DocGuard server installations and review software update channels for unauthorized modifications.

Implementing robust security measures is essential. Regularly updating endpoint protection signatures and monitoring network traffic can help mitigate the risk posed by Speagle. By staying vigilant, organizations can better protect themselves against this sophisticated malware threat.