CargoBay (Malware Family)

CargoBay

VTCollection

CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.

References

2022-11-29 ⋅ IBM X-Force Exchange ⋅ IBM IRIS
CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)
CargoBay

Yara Rules

[TLP:WHITE] win_cargobay_auto (20260504 | Detects win.cargobay.)

rule win_cargobay_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cargobay."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 415c 415d 415e 415f c3 488b8424e8010000 }
            // n = 7, score = 100
            //   5e                   | push                edi
            //   415c                 | push                ebx
            //   415d                 | dec                 eax
            //   415e                 | sub                 esp, 0x50
            //   415f                 | dec                 eax
            //   c3                   | mov                 esi, ecx
            //   488b8424e8010000     | dec                 esp

        $sequence_1 = { e8???????? 488b9c24b0000000 488b4308 0fb64808 48ffc9 4883f902 7304 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b9c24b0000000     | movups              xmm0, xmmword ptr [esp + 0x30]
            //   488b4308             | dec                 esp
            //   0fb64808             | mov                 esi, dword ptr [esp + 0x40]
            //   48ffc9               | movups              xmm1, xmmword ptr [esp + 0x50]
            //   4883f902             | dec                 eax
            //   7304                 | mov                 eax, dword ptr [ebx + 0x110]

        $sequence_2 = { 89ca 80e21f 0fb6d2 0fb67001 83e63f 80f9df 763c }
            // n = 7, score = 100
            //   89ca                 | shl                 ebp, 8
            //   80e21f               | dec                 eax
            //   0fb6d2               | or                  ebp, edi
            //   0fb67001             | dec                 eax
            //   83e63f               | shl                 esi, 0x10
            //   80f9df               | dec                 eax
            //   763c                 | or                  esi, ebp

        $sequence_3 = { e8???????? e9???????? 56 57 4883ec48 4889ce 488b4110 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   56                   | dec                 ecx
            //   57                   | mov                 eax, eax
            //   4883ec48             | dec                 ecx
            //   4889ce               | mov                 ebx, edx
            //   488b4110             | movzx               eax, byte ptr [eax]

        $sequence_4 = { e8???????? 4c8bbd90000000 488bbd98000000 4d89fe 4929fe 4d89f0 4929d8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8bbd90000000       | mov                 ecx, esi
            //   488bbd98000000       | dec                 ecx
            //   4d89fe               | mov                 ecx, edx
            //   4929fe               | dec                 eax
            //   4d89f0               | mov                 ecx, esi
            //   4929d8               | dec                 eax

        $sequence_5 = { e9???????? b91f000000 31d2 e8???????? 0f1005???????? 0f1100 0f1005???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   b91f000000           | mov                 edi, dword ptr [esp + 0x38]
            //   31d2                 | dec                 eax
            //   e8????????           |                     
            //   0f1005????????       |                     
            //   0f1100               | cmp                 edi, 1
            //   0f1005????????       |                     

        $sequence_6 = { 4c8d05cf070b00 488db42470020000 41b92c000000 4889f1 e8???????? 4889df 4883c710 }
            // n = 7, score = 100
            //   4c8d05cf070b00       | dec                 eax
            //   488db42470020000     | lea                 ecx, [ebx + 0x578]
            //   41b92c000000         | dec                 esp
            //   4889f1               | mov                 edx, edi
            //   e8????????           |                     
            //   4889df               | dec                 eax
            //   4883c710             | mov                 dword ptr [ebx + 0x560], esi

        $sequence_7 = { f6c101 755a 89d5 4c8bb42480000000 488bbc2488000000 4c39f7 7416 }
            // n = 7, score = 100
            //   f6c101               | lea                 eax, [0xdbb09]
            //   755a                 | jmp                 0x7d4
            //   89d5                 | dec                 eax
            //   4c8bb42480000000     | lea                 edx, [0xdb43d]
            //   488bbc2488000000     | dec                 eax
            //   4c39f7               | lea                 esi, [esp + 0x28]
            //   7416                 | inc                 ecx

        $sequence_8 = { e8???????? 4c8d05f3e20c00 ba0b000000 4889f9 e8???????? 4989d0 4489f9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d05f3e20c00       | mov                 eax, 0xe
            //   ba0b000000           | dec                 esp
            //   4889f9               | mov                 esp, dword ptr [esi]
            //   e8????????           |                     
            //   4989d0               | dec                 esp
            //   4489f9               | mov                 edi, dword ptr [esi + 0x10]

        $sequence_9 = { eb5e 41b800001c00 eb56 41b800001d00 eb4e 41b800001e00 eb46 }
            // n = 7, score = 100
            //   eb5e                 | setb                cl
            //   41b800001c00         | mov                 eax, 0x5f5e100
            //   eb56                 | inc                 ecx
            //   41b800001d00         | mov                 ebp, 0x3b9aca00
            //   eb4e                 | inc                 esp
            //   41b800001e00         | cmovb               ebp, eax
            //   eb46                 | xor                 cl, 9

    condition:
        7 of them and filesize < 3432448
}

Download all Yara Rules

CargoBay Propose Change

References

Yara Rules

CargoBay