Symantec and Carbon Black researchers uncovered Infostealer.Speagle, a stealthy .NET infostealer that hijacks the functionality and infrastructure of the legitimate Cobra DocGuard client and uses compromised Cobra DocGuard servers to exfiltrate stolen data while appearing as legitimate client-server traffic. Speagle targets systems with Cobra DocGuard installed, performs staged collection (system info, WMI, file and user data, browser artifacts, and targeted searches for Chinese ballistic missile–related documents), encrypts and hexlifies the data, transmits it over HTTP to a hijacked server, and then attempts to self-delete. #Infostealer.Speagle #CobraDocGuard
Keypoints
- Researchers from Symantec and Carbon Black identified a novel infostealer named Infostealer.Speagle that abuses Cobra DocGuard client functionality and a compromised Cobra DocGuard server to hide exfiltration traffic.
- Speagle is a 32-bit .NET executable that only proceeds with full data collection and exfiltration when it detects a Cobra DocGuard installation, indicating deliberate targeting of environments running that software.
- The infection vector is unknown but supply chain compromise is a leading hypothesis, supported by prior supply chain abuses of Cobra DocGuard and Speagle’s use of a Cobra DocGuard driver during self-deletion.
- Data collection is staged: Phase 1 gathers basic system and client identifiers and config tokens; Phase 2 collects extensive WMI output and recursive file listings; Phase 3 extracts browser artifacts (History, Web Data, Bookmarks, downloads, shortcuts) and can include targeted searches for Chinese ballistic missile–related documents.
- Exfiltration serializes collected data to XML, compresses with Deflate, encrypts with AES-128-CBC (key derived from a hardcoded string), hexlifies the payload, and transmits it via HTTP POST to a hardcoded URL on a compromised Cobra DocGuard server.
- After operations, Speagle attempts to delete itself by interacting with the Cobra DocGuard driver (.FileLockIt) and by using SetFileInformationByHandle-based file rename and deletion techniques to remove a running executable.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Used or suspected distribution via a trojanized update or hijacked vendor infrastructure; quote: ‘could have been delivered as part of a Trojanized software update’.
- [T1036 ] Masquerading – Malware hijacks legitimate Cobra DocGuard functionality and server infrastructure to conceal malicious activity; quote: ‘hijacks the functionality and infrastructure of the legitimate security software Cobra DocGuard’.
- [T1082 ] System Information Discovery – Collects basic host and user identifiers (userName, hostName, clientId, oldId) as initial data elements; quote: ‘obtains the following details and stores them as members of the ErrorReport structure: member userName: name of the current Windows user, member hostName: name of the affected Windows computer’.
- [T1005 ] Data from Local System – Recursively lists files/folders, reads AppData and user directories, and extracts browser databases and bookmarks for exfiltration; quote: ‘Listing of files (name and size) and folders … collects the content of the file “Bookmarks”‘.
- [T1027 ] Obfuscated Files or Information – Collected data is serialized, compressed with Deflate, encrypted with AES-128-CBC (key derived from a hardcoded string), and hexlified before transmission; quote: ‘serializes the ErrorReport … compressing it with the Deflate algorithm … encrypts the compressed data with the AES-128 algorithm … the encrypted data … is then hexlified’.
- [T1041 ] Exfiltration Over C2 Channel – Transmits hexlified encrypted payloads via HTTP POST to a hardcoded URL on a compromised Cobra DocGuard server; quote: ‘transmitted using the HTTP protocol’ and referenced URL ‘hxxp://60.30.147[.]18:8091/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy’.
- [T1070.004 ] Indicator Removal on Host: File Deletion – Attempts to remove its executable after completion by interacting with the Cobra DocGuard driver and using SetFileInformationByHandle to rename and delete the running file; quote: ‘attempts to delete itself … SetFileInformationByHandle() … DeleteFile: true’.
Indicators of Compromise
- [File hashes ] Malware samples and detections – 03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b, dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d, and 2 more hashes.
- [URLs / C2 ] Hardcoded exfiltration endpoints hosted on hijacked Cobra DocGuard servers – hxxp://60.30.147[.]18:8091/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy, hxxp://222.222.254[.]165:8090/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy.
- [File paths ] Installation and config files referenced by the malware – C:Program FilesEsafeNetCobra DocGuard Client, C:ProgramDataEstConfig.ini.
- [Registry keys ] Cobra DocGuard installation registry lookups – HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeEsafenetCDG System”InstallDir”, HKEY_LOCAL_MACHINESOFTWAREEsafenetCDG System”InstallDir”.
- [Device/Driver ] Legitimate Cobra DocGuard driver abused for self-deletion – device name .FileLockIt (accessed via DeviceIoControl IoControlCode 0x85272220).
Read more: https://www.security.com/threat-intelligence/speagle-cobradocguard-infostealer