Hello, today I would like to discuss a new malware known to the public as “Bayside RAT”. Bayside RAT is attributed to “BildungIstSuper”, a German malware developer who started a malware group known as “BotSquad”.

BildungIstSuper is known for releasing malware that either (1) doesn’t function or (2) are backdoored and doesn’t function. Some of his previous creations include “BotSquad RAT”. Bayside (also known to some as BotSquad RAT v2.0), is a new version of BotSquad RAT that has some major changes to it.

Sample information:
SHA256: 735a3db863fe7f739d30dec424da4cd3481477c13b98d7cc665bfa47bc59c5ef
File Type: Generic CIL Executable
VirusTotal: https://www.virustotal.com/#/file/735a3db863fe7f739d30dec424da4cd3481477c13b98d7cc665bfa47bc59c5ef/detection

From the first glance, we could see that the sample is detected as “MSIL.Backdoor.Bladabindi.a” by multiple AV vendors. This is due to the fact that Bayside RAT is 99% pasted (which we will discuss later on). Let’s take a look at the sample itself. Preliminary analysis reveals that the sample is packed with Crypto Obfuscator, which de4dot is easily able to handle. We proceed to deobfuscate it and continue with our analysis.

 

Deobfuscated/Unpacked sample information:
SHA256: 83586da5c319d51c409480ba8494e51fa5249b833f9a2b9a3a4f674df23e85e8
File Type: Generic CIL Executable
VirusTotal: https://www.virustotal.com/#/file/83586da5c319d51c409480ba8494e51fa5249b833f9a2b9a3a4f674df23e85e8/detection

The first thing we noticed when opening the deobfuscated file in DnSpy is the class names.

What could this be but a blatant indicator of pasted code from Plasma HTTP, an ancient malware from 2014?

Opening Form1_load(), we notice something strange…

The file stores configuration data in the file overlay/EOF and using a string delimeter. This technique is very old and is no longer used by any malware developer as it makes crypting effectively impossible. The data is also strangely stored in plaintext, which shows the developers’ incompetence and renders the usage of an obfuscator useless.

The next thing we noticed is that, well, there’s a backdoor inside Bayside RAT. This allows the coder, BildungIstSuper to seize control of all the bots obtained by his customers by updating a pastebin entry.

At the time of this post, the pastebin entry is not officially inside the code yet, as we can see in the snippet above, however it is clear that the intention of such code is for no reason other than botjacking. The URL to the direct executable results in a 404.

The next thing we notice is the hardcoded installation path. Not only is the hardcoding of such a bad idea but naming one’s malware “svchost.exe” and putting it in %appdata%\Microsoft\svchost.exe without any variations again shows the incompetence of the developer.

The malware uses the typical run key for startup.

One would normally think that malware are used to gain profit. But no, the author of Bayside RAT decided to add features that are of no use, such as the folder bombing feature. This miraculous feature creates 150 directories inside the main paths (such as Desktop, Document, etc) and even the C drive (which is hardcoded, which means anyone who renames their partition to D:\ or something else are immune to this).

What else does Bayside RAT have to offer? Well, it’s none other than a specially pasted keylogger from NjRAT, guaranteed runtime detection by major AV vendors. Bayside also uses a static path for saving logs, which further provides a detection vector and

In conclusion to this public report, we will conclude with the following checklist of things we discovered while analyzing Bayside RAT:

Pasted? ✔
Backdoored? ✔
Detected? ✔
Uncryptable? ✔
.NET? ✔
Incompetent dev? ✔
Terrible practices? ✔
Pretty much a scam? ✔

This investigation was performed by the Krabs Investigation Team (K.I.T) and the AntiNanomen sector of KrabsOnSecurity. Join the KrabsOnSecurity discord and the AntiNanomen discord to stay up to date with the latest information discovered by K.I.T.