Cybersecurity researchers have reported a new malware called Speagle that hijacks the functionality and infrastructure of a legitimate program called Cobra DocGuard.
“Speagle is designed to covertly collect sensitive information from infected computers and send it to a Cobra DocGuard server that has been compromised by an attacker, masking the data exfiltration process as a legitimate communication between client and server,” researchers from Symantec and Carbon Black said in a report released today.
Cobra DocGuard is a document security and encryption platform developed by EsafeNet. Exploitation of this software in real-world attacks has been publicly documented twice to date. In January 2023, ESET documented an intrusion in which a gambling company in Hong Kong was compromised by a malicious update pushed by software in September 2022.
In late August of the same year, Symantec highlighted the activity of a new threat cluster codenamed Carderbee. The cluster was found to be using a trojanized version of a program that deploys PlugX, a backdoor widely used by Chinese hacker groups such as Mustang Panda. The attack targeted multiple organizations in Hong Kong and other Asian countries.
Speegle has not been identified to date. However, what makes this malware notable is that it is designed to collect and extract data only from systems that have Cobra DocGuard data protection software installed. This activity is tracked under the name “Runningcrab”.
“This likely indicates an intentional target to facilitate intelligence gathering or industrial espionage,” Broadcom’s threat hunting team said. “At this point, we believe the most likely hypothesis is that it was the work of state sponsors or private contractors.”
It is unclear exactly how the malware is delivered to victims, but it is suspected that it may have been done via supply chain attacks, as evidenced by the two cases mentioned above.
Additionally, it’s worth mentioning the central role played by security software and its infrastructure. In addition to using a legitimate Cobra DocGuard server as a command and control (C2) and data extraction point, Speagle also calls drivers associated with the program to remove itself from compromised hosts.
When launched, the 32-bit .NET executable first checks the Cobra DocGuard installation folder and progressively collects and sends data from the infected machine. This includes details about your system and files in specific folders, such as files containing web browser history and autofill data.
Additionally, Speagle variants were found to include additional functionality to turn on/off certain types of data collection and search for files related to Chinese ballistic missiles such as the Dongfeng-27 (also known as the DF-27).
“Speagle is a new parasitic threat that cleverly leverages Cobra DocGuard’s clients to hide its malicious activity and its infrastructure, hiding exfiltrated traffic,” the researchers wrote. “Its developers have undoubtedly noted previous supply chain attacks using this software and may have selected this software based on both its perceived vulnerabilities and high usage among targeted organizations.”
Source link
