Cargobay

CargoBay is a type of malware that has been associated with various ransomware attacks, including Quantum, Zeon, and Royal. It was used to crypt SVCReady, a loader observed in the Quantum ransomware attacks. CargoBay's usage extends beyond this, as it has also been linked to numerous other malicious software such as Emotet, IcedID, CobaltStrike, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Canyon, Nokoyawa Ransomware, and BlackBasta Ransomware. The malware infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. In recent times, criminal factions have likely established new alliances with other gangs, leading to the testing and application of new malware like SVCReady, CargoBay, and Matanbuchus. Crypters such as Hexa and Dave have been deployed on these malware. Over the past year, these crypters have appeared on new malware used for initial access or information stealing, including SVCReady, CargoBay, Matanbuchus, Pikabot, Aresloader, Vidar, Minodo, and LummaC2 Stealer. The current landscape shows significant changes from the original ITG23, as its successors have tested and adopted new malware strains such as SVCReady, CargoBay, and Minodo. They have also forged relationships with new actors like FIN7 and DEV-0569. However, similarities with ITG23’s activities before Conti’s sunset suggest that many of the same actors behind these new operations continue to collaborate closely behind the scenes. X-Force has analyzed an ITG23 crypter written in Rust, along with the CargoBay family of backdoors and downloaders, indicating ongoing cooperation between cybercriminal groups.