SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cargobay (Back to overview)

CargoBay

VTCollection    

CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.

References
2022-11-29IBM X-Force ExchangeIBM IRIS
CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)
CargoBay
Yara Rules
[TLP:WHITE] win_cargobay_auto (20230808 | Detects win.cargobay.)
rule win_cargobay_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cargobay."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4c8b4910 31c0 4c01ca 7216 48395108 7210 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4c8b4910             | lea                 eax, [esp + 0x58]
            //   31c0                 | jne                 0xda
            //   4c01ca               | dec                 eax
            //   7216                 | mov                 ebx, edx
            //   48395108             | dec                 eax
            //   7210                 | add                 ebx, dword ptr [esp + 0x48]

        $sequence_1 = { 80bc24b100000000 0f84e2020000 8a8c24b2000000 0fb6d1 83fa2c 743e b800000000 }
            // n = 7, score = 100
            //   80bc24b100000000     | mov                 eax, ebx
            //   0f84e2020000         | dec                 esp
            //   8a8c24b2000000       | mov                 ecx, esi
            //   0fb6d1               | dec                 eax
            //   83fa2c               | mov                 edx, edi
            //   743e                 | cmp                 al, 0xff
            //   b800000000           | je                  0x10cc

        $sequence_2 = { e8???????? eb56 488db42498010000 41b8b8000000 4889f1 4c89fa e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb56                 | dec                 ebp
            //   488db42498010000     | mov                 edi, dword ptr [esi + 0x30]
            //   41b8b8000000         | jne                 0xaae
            //   4889f1               | cmp                 cx, 0xa
            //   4c89fa               | jne                 0xab6
            //   e8????????           |                     

        $sequence_3 = { c6040800 48ffc1 ebf2 488b4748 41b801000000 4889f9 4c89e2 }
            // n = 7, score = 100
            //   c6040800             | sub                 esp, 0xb8
            //   48ffc1               | dec                 ebp
            //   ebf2                 | mov                 esi, ecx
            //   488b4748             | dec                 esp
            //   41b801000000         | mov                 ebp, eax
            //   4889f9               | push                esi
            //   4c89e2               | push                edi

        $sequence_4 = { eb04 48832300 4889f1 4c89f2 4883c448 5b 5d }
            // n = 7, score = 100
            //   eb04                 | lea                 edi, [edx + 3]
            //   48832300             | dec                 ecx
            //   4889f1               | mov                 dword ptr [edi], edi
            //   4c89f2               | movzx               ebx, byte ptr [edx + 2]
            //   4883c448             | shl                 esi, 6
            //   5b                   | and                 ebx, 0x3f
            //   5d                   | or                  ebx, esi

        $sequence_5 = { e8???????? 0f0b 56 57 4881ec18040000 4889ce 488d7c2428 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0f0b                 | dec                 eax
            //   56                   | mov                 esi, ecx
            //   57                   | dec                 eax
            //   4881ec18040000       | mov                 ecx, edx
            //   4889ce               | push                edi
            //   488d7c2428           | push                ebx

        $sequence_6 = { ba05000000 e8???????? e9???????? 488d0dddfe0d00 ba09000000 e8???????? 4889c3 }
            // n = 7, score = 100
            //   ba05000000           | imul                edx, eax, 0x88
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d0dddfe0d00       | dec                 eax
            //   ba09000000           | mov                 ebx, dword ptr [esp + 0x28]
            //   e8????????           |                     
            //   4889c3               | dec                 eax

        $sequence_7 = { c5fa6f8729020000 c4e27d470d???????? c4e27d4505???????? c5fd6f15???????? c4e26d36c0 c5fdebc1 c5fddb05???????? }
            // n = 7, score = 100
            //   c5fa6f8729020000     | mov                 ebx, ecx
            //   c4e27d470d????????     |     
            //   c4e27d4505????????     |     
            //   c5fd6f15????????     |                     
            //   c4e26d36c0           | dec                 eax
            //   c5fdebc1             | mov                 ecx, dword ptr [ecx]
            //   c5fddb05????????     |                     

        $sequence_8 = { 4d896608 488d8c2488000000 488919 48897108 48898424b0000000 4889bc24b8000000 4d8937 }
            // n = 7, score = 100
            //   4d896608             | cmp                 edx, ebx
            //   488d8c2488000000     | jne                 0xc47
            //   488919               | dec                 eax
            //   48897108             | test                eax, eax
            //   48898424b0000000     | je                  0xc8a
            //   4889bc24b8000000     | dec                 ecx
            //   4d8937               | cmp                 ebp, 0x27

        $sequence_9 = { ba08000000 41b908000000 e8???????? 4881c600020000 4889f1 4c89f2 e8???????? }
            // n = 7, score = 100
            //   ba08000000           | adc                 esp, 0
            //   41b908000000         | dec                 ebp
            //   e8????????           |                     
            //   4881c600020000       | and                 ecx, edi
            //   4889f1               | dec                 ebp
            //   4c89f2               | shld                esp, esi, 0xd
            //   e8????????           |                     

    condition:
        7 of them and filesize < 3432448
}
Download all Yara Rules