Malware News Meet Speagle a new threat designed to infect users of a Chinese security software package and then hunt for information on Chinese ballistic missiles.

[Khushal]

Content source

https://www.security.com/threat-intelligence/speagle-cobradocguard-infostealer

Symantec and Carbon Black researchers have uncovered a mysterious and stealthy new threat that hijacks the functionality and infrastructure of the legitimate security software Cobra DocGuard. Infostealer.Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server. Notably, Speagle appears to be capable of collecting information on highly targeted subjects, such as specifically seeking out documents related to Chinese ballistic missiles.

New Malware Targets Users of Cobra DocGuard Software

Novel, parasitic threat cleverly uses Cobra DocGuard’s functionality and hunts for documents related to ballistic missiles.

www.security.com

 

[Divergent]

Executive Summary

Confirmed Facts
Speagle is a 32-bit .NET infostealer that specifically targets environments running the Cobra DocGuard security software to harvest system and browser data.

Assessment
The hyper-focused collection of intelligence, specifically targeting Chinese ballistic missile documentation, suggests a highly capable state-sponsored or contracted threat actor, though the initial delivery vector remains undetermined.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1005
(Data from Local System).

T1082
(System Information Discovery).

T1047
(System Network Configuration Discovery).

T1048
(Windows Management Instrumentation).

T1070.004
(Hide Artifacts: File Deletion).

CVE Profile
N/A [CISA KEV Status: Inactive]

Telemetry

Hashes (SHA256)
"03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b"

dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d.

fad8d0307db5328c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890.

d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877.

Network (IPv4/URL)

60.30.147[.]18:8091/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy.

222.222.254[.]165:8090/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy.

Registry Keys

"HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Esafenet\CDG System\"InstallDir"".

HKEY_LOCAL_MACHINE\SOFTWARE\Esafenet\CDG System\"InstallDir".

Driver Abuse

\\.\FileLock (Targeted via DeviceIoControl code 0x85272220).

Origin Constraint
The structure suggests a software supply chain attack due to the abuse of the proprietary (\\.\FileLock) driver for self-deletion; however, there is insufficient evidence to confirm the exact delivery vector.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate high-severity incident response protocols for targeted espionage if EsafeNet Cobra DocGuard is utilized within the environment.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM queries for outbound HTTP POST traffic containing the exact User-Agent: Raw HTML Reader.

Command
Hunt for anomalous HTTP headers including X-Request-Name, X-Request-ID, X-Request-No, and X-Request-Time.

Command
Monitor for SetFileInformationByHandle API calls attempting to pass FileRenameInfo targeting files with six upper-case letters.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints displaying unexpected modifications to C:\ProgramData\EstConfig.ini.

Command
Block network communications to IPs 60.30.147[.]18 and 222.222.254[.]165 at the perimeter firewall.

RECOVER (RC) – Restoration & Trust

Command
Reimage infected assets and force a credential rotation for all accounts stored in SQLite databases (e.g., Web Data or Login Data Chrome/Edge browser artifacts).

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Audit third-party security software architecture and implement strict egress filtering for external C2 infrastructure disguised as legitimate vendor telemetry.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Threat Level
Theoretical/Low. The Speagle malware explicitly requires the presence of EsafeNet's Cobra DocGuard software to execute its primary collection and exfiltration routines. Because this is an enterprise-grade document encryption platform, default home environments are highly unlikely to be affected.

Priority 2: Identity

Command
If you are utilizing a corporate-managed device at home with this software installed, do not log into banking/email until verified clean. Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks for anomalies, as the malware queries MSFT_ScheduledTask during its discovery phase.

Hardening & References

Baseline
Align with CIS Benchmarks for Application Allowlisting to prevent unauthorized .NET executables from executing, regardless of the delivery vector.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

SECURITY.COM