Hello, today I would like to discuss a new AutistWare variant known to the public as “Bayside RAT”. Bayside RAT is attributed to BuldingIstStoopid, a threat actor from the  malware krew “BotSquid”, who’s been cyber bullied multiple times by Mr. Krabs/Codefuser.

BuldingIstStoopid is known for releasing crapwares that either (1) doesn’t function or (2) doesn’t function (reports are available to customers of the Krabs Threat Security Network). His previous release, “BotSquad RAT”, was analyzed by our researchers and a full report/disclosure was availble to customers of the Krabs Threat Security Network. In order to subscribe, contact us on Discord. Bayside (also dubbed BotSquad RAT v2.0), is an evolution of BotSquad RAT, and poses an extreme threat to the braincells of those who attempt to reverse engineere it.

Sample information:
SHA256: 735a3db863fe7f739d30dec424da4cd3481477c13b98d7cc665bfa47bc59c5ef
File Type: Generic CIL Executable
VirusTotal: https://www.virustotal.com/#/file/735a3db863fe7f739d30dec424da4cd3481477c13b98d7cc665bfa47bc59c5ef/detection

From the first glance, we could see that the sample is detected as “MSIL.Backdoor.Bladabindi.a” by multiple AV vendors. This is due to the fact that Bayside RAT is 99% pasted (which we will discuss later on). Let’s take a look at the sample itself. Preliminary analysis reveals that the sample is packed with Crypto Obfuscator, which de4dot is easily able to handle. We proceed to deobfuscate it and continue with our analysis.

 

Deobfuscated/Unpacked sample information:
SHA256: 83586da5c319d51c409480ba8494e51fa5249b833f9a2b9a3a4f674df23e85e8
File Type: Generic CIL Executable
VirusTotal: https://www.virustotal.com/#/file/83586da5c319d51c409480ba8494e51fa5249b833f9a2b9a3a4f674df23e85e8/detection

The first thing we noticed when opening the deobfuscated file in DnSpy is the class names.

What could this be but a blatant indicator of pasted code from Plasma HTTP, an ancient malware from 2014?

Opening Form1_load(), we notice something strange…

Wowser, storing data in the file overlay/EOF and using a string delimeter! Which century are we in again, and why is EOF still being used? No wonder this file isn’t possible to be crypted. The data is also strangely stored in plaintext, such security, am I right? Totally going to use an obfuscator if I’m going to store the config data of my crappy malware unencrypted in the overlay!

The next thing we noticed is that, well, there’s a backdoor inside Bayside RAT. This allows the coder, BuldingIstStoopid to seize control of all the bots obtained by his customers by updating a pastebin entry.

At the time of this post, the pastebin entry is not officially inside the code yet, as we can see in the snippet above, however it is clear that the intention of such code is for no reason other than botjacking. The URL to the direct executable results in a 404.

The next thing we notice is the hardcoded installation path. What sort of malware author does this? I mean, why? Hardcoding the typical svchost.exe name inside %APPDATA%, totally a great way to not get killed by AV vendors or competing bots.

So what’s up after this crappy installation? What else could it be other than using the Run registry key for startup?

One would normally think that malware are used to gain profit. But no, the author of Bayside RAT decided to add features that are of no use, such as the folder bombing feature! This miraculous feature creates 150 directories inside the main paths (such as Desktop, Document, etc) and even the C drive (which is hardcoded, which means anyone who renames their partition to D:\ or something else are immune to this)!

What else does Bayside RAT have to offer? Well, it’s none other than a specially pasted keylogger from NjRAT, guaranteed runtime detection by major AV vendors! Using the SetWindowsHookEx method, Bayside RAT bypasses McAfee and is detected by all other AVs. Also static log path, yeah that’s genius man.

In conclusion to this public report, we will conclude with the following checklist of things we discovered while analyzing Bayside RAT:

Pasted? ✔
Backdoored? ✔
Detected? ✔
Uncryptable? ✔
.NET? ✔
Incompetent dev? ✔
Terrible practices? ✔
Pretty much a scam? ✔

This investigation was performed by the Krabs Investigation Team (K.I.T) and the AntiNanomen sector of KrabsOnSecurity. Join the KrabsOnSecurity discord and the AntiNanomen discord to stay up to date with the latest information discovered by K.I.T. This is only a partial report on the APT group, full disclosure is available to customers of the Krabs Threat Intelligence Service.