SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cargobay (Back to overview)

CargoBay

CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.

References
2022-11-29IBM X-Force ExchangeIBM IRIS
@online{iris:20221129:cargobay:9f0719a, author = {IBM IRIS}, title = {{CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)}}, date = {2022-11-29}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f}, language = {English}, urldate = {2023-02-17} } CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)
CargoBay
Yara Rules
[TLP:WHITE] win_cargobay_auto (20230715 | Detects win.cargobay.)
rule win_cargobay_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.cargobay."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f87fa000000 4c8b742420 4c8b7c2428 4869db88000000 48035c2430 4889d9 4889fa }
            // n = 7, score = 100
            //   0f87fa000000         | je                  0x336
            //   4c8b742420           | dec                 eax
            //   4c8b7c2428           | mov                 eax, dword ptr [esp + 0x68]
            //   4869db88000000       | dec                 esp
            //   48035c2430           | lea                 eax, [0xdbd5a]
            //   4889d9               | cmp                 byte ptr [ebx], 0
            //   4889fa               | je                  0x347

        $sequence_1 = { e8???????? 488d4e08 e8???????? 4881c608010000 4889f1 4883c420 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d4e08             | jb                  0x503
            //   e8????????           |                     
            //   4881c608010000       | inc                 cx
            //   4889f1               | cmp                 eax, 0x3f
            //   4883c420             | jne                 0x503
            //   5e                   | inc                 cx

        $sequence_2 = { e8???????? 488d8b00020000 e8???????? 4c89f9 e8???????? 488d8bd00d0000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d8b00020000       | cmp                 eax, 0x7e
            //   e8????????           |                     
            //   4c89f9               | je                  0xb15
            //   e8????????           |                     
            //   488d8bd00d0000       | lea                 eax, [ecx - 0x30]
            //   e8????????           |                     

        $sequence_3 = { eb19 ff15???????? 48c1e020 4883c802 49894708 49c70701000000 4881c4a8000000 }
            // n = 7, score = 100
            //   eb19                 | mov                 dh, byte ptr [esp + 0x22]
            //   ff15????????         |                     
            //   48c1e020             | inc                 ecx
            //   4883c802             | movzx               eax, dh
            //   49894708             | cmp                 eax, 0x22
            //   49c70701000000       | cmp                 byte ptr [esp + 0x20], 0
            //   4881c4a8000000       | jne                 0xbe7

        $sequence_4 = { 4c8bbc2498000000 4c897c2430 4c89742428 488b5c2470 48895c2420 488d742458 4889f1 }
            // n = 7, score = 100
            //   4c8bbc2498000000     | lea                 esi, [esp + 0x838]
            //   4c897c2430           | mov                 ecx, 0xf
            //   4c89742428           | dec                 eax
            //   488b5c2470           | mov                 edi, ebx
            //   48895c2420           | dec                 eax
            //   488d742458           | movsd               dword ptr es:[edi], dword ptr [esi]
            //   4889f1               | dec                 eax

        $sequence_5 = { ba1d000000 eb24 4c8d059ccd0c00 b91e000000 ba1e000000 eb11 4c8d05a1cd0c00 }
            // n = 7, score = 100
            //   ba1d000000           | mov                 eax, dword ptr [edi + 0x28]
            //   eb24                 | push                ebx
            //   4c8d059ccd0c00       | dec                 eax
            //   b91e000000           | sub                 esp, 0x40
            //   ba1e000000           | dec                 esp
            //   eb11                 | mov                 esi, ecx
            //   4c8d05a1cd0c00       | dec                 eax

        $sequence_6 = { c3 488d056db60d00 4889442420 488d0dd4dc1000 4c8d0ddab50d00 4c8d442430 ba2b000000 }
            // n = 7, score = 100
            //   c3                   | add                 ecx, 8
            //   488d056db60d00       | push                edi
            //   4889442420           | dec                 eax
            //   488d0dd4dc1000       | sub                 esp, 0x20
            //   4c8d0ddab50d00       | dec                 eax
            //   4c8d442430           | lea                 ebx, [0xb5497]
            //   ba2b000000           | dec                 eax

        $sequence_7 = { ebe6 49c1e120 4d09c1 4e894cd9f8 c3 4885d2 740f }
            // n = 7, score = 100
            //   ebe6                 | add                 edi, eax
            //   49c1e120             | dec                 esp
            //   4d09c1               | mov                 ebx, ebp
            //   4e894cd9f8           | dec                 esp
            //   c3                   | cmp                 edi, ebp
            //   4885d2               | jne                 0x378
            //   740f                 | add                 eax, 0xa

        $sequence_8 = { 89d8 e9???????? 4080fef8 0f832a020000 41b804000000 41b101 4531db }
            // n = 7, score = 100
            //   89d8                 | dec                 esp
            //   e9????????           |                     
            //   4080fef8             | lea                 eax, [0xa804a]
            //   0f832a020000         | dec                 eax
            //   41b804000000         | mov                 edi, ecx
            //   41b101               | dec                 eax
            //   4531db               | lea                 edx, [0xa7708]

        $sequence_9 = { e8???????? 488babd0010000 488b83e8010000 4889842490000000 0f1083d8010000 0f29842480000000 488b8300020000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488babd0010000       | mov                 edx, edi
            //   488b83e8010000       | dec                 eax
            //   4889842490000000     | mov                 ecx, edi
            //   0f1083d8010000       | dec                 eax
            //   0f29842480000000     | mov                 edx, esi
            //   488b8300020000       | jb                  0x186b

    condition:
        7 of them and filesize < 3432448
}
Download all Yara Rules