Ddos 
In a sophisticated display of “parasitic” engineering, a mysterious new threat has been discovered living within the very walls of the security software meant to keep it out. Researchers from Symantec and Carbon Black have unveiled Infostealer.Speagle, a stealthy piece of malware that hijacks the infrastructure of Cobra DocGuard, a legitimate document encryption platform developed by the Chinese firm EsafeNet.
The threat is so stealthy that it doesn’t just hide from the security suite; it uses the suite’s own servers to exfiltrate stolen data, effectively “masking the data exfiltration process as legitimate communications between client and server”.
The threat actor behind this operation, currently tracked under the name Runningcrab, has designed Speagle with a single-minded focus. Interestingly, the malware is programmed to “collect and exfiltrate data only when running on computers with Cobra DocGuard data protection software installed”.
This hyper-targeted approach suggests a campaign built for high-stakes industrial espionage or state-level intelligence gathering. One variant of the malware revealed a particularly objective: it specifically searches for documents related to Chinese ballistic missiles, including keywords like “Dongfeng-27,” “hypersonic,” and “warhead”.
While the exact infection vector is still being investigated, researchers have “low-confidence indications” that Speagle may be the result of a supply chain attack. This wouldn’t be the first time for Cobra DocGuard, which has been used in similar attacks at least twice before by groups like Carderbee.
Evidence for this theory lies in the malware’s exit strategy. To vanish without a trace, Speagle calls upon a legitimate Cobra DocGuard driver to facilitate its own deletion. “The fact that the malware used a Cobra DocGuard driver to self-delete suggests it could have been delivered as part of a Trojanized software update,” though this remains a working hypothesis.
Speagle is a 32-bit .NET executable that moves through a victim’s system in three distinct phases, attempting to exfiltrate data at each step to ensure the attackers get at least a partial haul if they are interrupted.
Phase 1: Identity and Reconnaissance
The malware first identifies the victim by harvesting the Windows username, hostname, and the unique ClientID stored within the Cobra DocGuard installation folder.
Phase 2: System Mapping
Speagle then deep-dives into the system using WMI queries to map out everything from network connections and running processes to firewall rules and scheduled tasks. It also creates a recursive listing of all files and folders on local and removable disks.
Phase 3: The Data Grab
In its final phase, the malware targets the “History,” “Bookmarks,” and “Web Data” of the user’s browser. It makes temporary copies of these SQLite databases to steal:URLs and titles from browsing history.Autofill names and values.Download paths and omnibox shortcuts.
To smuggle this data out, Speagle serializes it into an XML string, compresses it, and encrypts it using AES-128. The encrypted package is then hexlified and transmitted via HTTP POST requests to a compromised Cobra DocGuard server. By using a legitimate server hosted by the attacked organization, the malware effectively hides its traffic in plain sight.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
