SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cybergate (Back to overview)

CyberGate

aka: Rebhip
URLhaus      

According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to
the victim’s system. Attackers can remotely connect to the compromised system from anywhere
around the world. The Malware author generally uses this program to steal private information
like passwords, files, etc. It might also be used to install malicious software on the compromised
systems.

References
2021-05-20SubexSecureHussain Kathawala
@techreport{kathawala:20210520:cybergate:7e8eb1a, author = {Hussain Kathawala}, title = {{CyberGate Threat Report}}, date = {2021-05-20}, institution = {SubexSecure}, url = {https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf}, language = {English}, urldate = {2022-06-09} } CyberGate Threat Report
CyberGate
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-07-02ZscalerMohd Sadique
@online{sadique:20200702:cybergate:b091287, author = {Mohd Sadique}, title = {{CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns}}, date = {2020-07-02}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns}, language = {English}, urldate = {2022-02-17} } CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns
CyberGate RedLine Stealer
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-07-18EndgameAshkan Hosseini
@online{hosseini:20170718:ten:fa1e393, author = {Ashkan Hosseini}, title = {{Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques}}, date = {2017-07-18}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-01-09} } Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques
CyberGate
2015-12-08The CitizenlabJohn Scott-Railton, Morgan Marquis-Boire, Claudio Guarnieri, Marion Marschalek
@online{scottrailton:20151208:packrat:5f9bffa, author = {John Scott-Railton and Morgan Marquis-Boire and Claudio Guarnieri and Marion Marschalek}, title = {{Packrat: Seven Years of a South American Threat Actor}}, date = {2015-12-08}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2015/12/packrat-report/}, language = {English}, urldate = {2020-05-18} } Packrat: Seven Years of a South American Threat Actor
AdWind Adzok CyberGate Xtreme RAT Packrat
Yara Rules
[TLP:WHITE] win_cybergate_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cybergate_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8de8feffff b8???????? ba???????? e8???????? c645ff00 e9???????? 837f0800 }
            // n = 7, score = 700
            //   8b8de8feffff         | mov                 ecx, dword ptr [ebp - 0x118]
            //   b8????????           |                     
            //   ba????????           |                     
            //   e8????????           |                     
            //   c645ff00             | mov                 byte ptr [ebp - 1], 0
            //   e9????????           |                     
            //   837f0800             | cmp                 dword ptr [edi + 8], 0

        $sequence_1 = { 3c2e 7516 57 8bc6 e8???????? }
            // n = 5, score = 700
            //   3c2e                 | cmp                 al, 0x2e
            //   7516                 | jne                 0x18
            //   57                   | push                edi
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_2 = { 741a 8b55f8 b8???????? e8???????? 48 7d83 }
            // n = 6, score = 700
            //   741a                 | je                  0x1c
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   b8????????           |                     
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   7d83                 | jge                 0xffffff85

        $sequence_3 = { 8b55f8 807c02ff5c 747c 8d45f8 }
            // n = 4, score = 700
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   807c02ff5c           | cmp                 byte ptr [edx + eax - 1], 0x5c
            //   747c                 | je                  0x7e
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_4 = { 8b5708 8b4df0 890a 294708 ff470c 8b45f4 8b00 }
            // n = 7, score = 700
            //   8b5708               | mov                 edx, dword ptr [edi + 8]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   294708               | sub                 dword ptr [edi + 8], eax
            //   ff470c               | inc                 dword ptr [edi + 0xc]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_5 = { 83c103 8b03 ba01000000 e8???????? 8d55f0 }
            // n = 5, score = 700
            //   83c103               | add                 ecx, 3
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   ba01000000           | mov                 edx, 1
            //   e8????????           |                     
            //   8d55f0               | lea                 edx, [ebp - 0x10]

        $sequence_6 = { 8b520c 03d6 e8???????? 8b8de8feffff b8???????? ba???????? }
            // n = 6, score = 700
            //   8b520c               | mov                 edx, dword ptr [edx + 0xc]
            //   03d6                 | add                 edx, esi
            //   e8????????           |                     
            //   8b8de8feffff         | mov                 ecx, dword ptr [ebp - 0x118]
            //   b8????????           |                     
            //   ba????????           |                     

        $sequence_7 = { 4b 85db 75db 5a 5f }
            // n = 5, score = 700
            //   4b                   | dec                 ebx
            //   85db                 | test                ebx, ebx
            //   75db                 | jne                 0xffffffdd
            //   5a                   | pop                 edx
            //   5f                   | pop                 edi

        $sequence_8 = { 8b03 ba01000000 e8???????? 8d55f0 }
            // n = 4, score = 700
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   ba01000000           | mov                 edx, 1
            //   e8????????           |                     
            //   8d55f0               | lea                 edx, [ebp - 0x10]

        $sequence_9 = { 40 84c0 741a 8b55f8 b8???????? e8???????? 48 }
            // n = 7, score = 700
            //   40                   | inc                 eax
            //   84c0                 | test                al, al
            //   741a                 | je                  0x1c
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   b8????????           |                     
            //   e8????????           |                     
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 9191424
}
[TLP:WHITE] win_cybergate_w0   (20170517 | No description)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
    long as you use it under this license.
*/
rule win_cybergate_w0 {

	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		contributors = "Daniel Plohmann"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/CyberGate"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate"
        malpedia_version = "20170517"
        malpedia_license = "GNU-GPLv2"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
		$string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
		$string3 = "EditSvr"
		$string4 = "TLoader"
		$string5 = "Stroks"
		$string6 = "####@####"
		$res1 = "XX-XX-XX-XX"
		$res2 = "CG-CG-CG-CG"
		
		$command_0 = "limpasclipboard"
		$command_1 = "shellativar"
		$command_2 = "configuracoesdoserver"
		$command_3 = "finalizarconexao"

	condition:
		(all of ($string*) or any of ($res*)) or (all of ($command_*))
}
Download all Yara Rules