A Malware retrospective: The Beast RAT
Recently, I unveiled the second portion of the source code for SubSeven Legacy, an ambitious and faithful remake of the iconic SubSeven 2.2 RAT. The original SubSeven, masterminded by the enigmatic Mobman, emerged in the late 90s of the last century and took the cyber world by storm. This second release has generated an incredible amount of excitement and buzz within the nostalgic community of early internet users and enthusiasts.
To my own astonishment, the level of positive nostalgia elicited by these dual releases has been nothing short of remarkable. It seems that many people, like myself, grew up enthralled by these ingenious programs that were once the epitome of cutting-edge technology. For some, this fascination with malware and other similar programs may have even served as the catalyst for pursuing their own careers in the ever-evolving fields of InfoSec and Malware Research.
In the past, malware (specifically between 1998 and 2009) was a far cry from the sophisticated threats we encounter today. The ethos of malware authors from that era was distinct from the current landscape; their primary objectives were to showcase their creativity and technical prowess through unique features and eye-catching designs. This competitive spirit led to a flourishing subculture within the cybersecurity community.
During those days, it was much more challenging to find functional source code and resource to create your own malware. This scarcity of resources meant that aspiring malware authors had to rely on connections with other like-minded individuals, as well as specialised communities, to exchange information and hone their skills. Access to these clandestine networks was often restricted, requiring ingenuity and persistence to break into their inner circles.
In this inaugural instalment of the Malware Retrospective series, we take a trip down memory lane to revisit the Beast RAT, a notorious Windows RAT (Remote Access Trojan) developed by the elusive “Tataye” This groundbreaking malware left an indelible mark on a whole generation of enthusiasts, including myself, who were captivated by its ingenuity and influence the whole scene back in it’s time.
Story of the Beast
Over two decades have passed, and uncovering comprehensive information about this malware and its enigmatic creator remains an arduous task, particularly when it comes to the origins of the project. The passage of time has shrouded the beginnings of the Beast RAT in mystery, leaving enthusiasts and researchers to piece together its fascinating history through fragments of available information.
Fortunately, I had the opportunity to recently meet Tataye himself and ask him a few questions for my article. He graciously agreed to answer some of them, which was fantastic for gaining clarity on certain points.
The development of the Beast RAT commenced in 2002 under the guidance of a pseudonymous programmer known as “Tataye” who is thought to have hailed from Romania. Interestingly, Romania is also the birthplace of SubSeven, another notorious malware whose author, Mobman, was often mistakenly believed to be from the USA.
According to Tataye, his nickname was derived from Tataee, the name of one of the crew members of B.U.G. Mafia, a popular Romanian rap music band. Coincidentally, Mobman also mentioned and consistently dedicated his project, SubSeven, to the same band, which establishes yet another connection between the two malware authors.
The Beast RAT project can be traced back to its predecessor, Ulysses, another creation by the same enigmatic author. Ulysses had already seen four main releases before being rebranded and continued under the name of Beast. This likely explains why the first known version so far of Beast is numbered as 1.7. The similarities in design between the last release of Ulysses (1.73) and the first version of Beast (1.7) further substantiate the connection between the two projects, lending credence to the idea that Beast was a direct continuation of Tataye’s earlier work on Ulysses.
According to Tataye, his motivation for creating a RAT stemmed from a passion for programming system utilities and related content. He couldn’t pinpoint a specific reason for starting with RATs, simply stating that he enjoyed working on them without any particular rationale. He shared that he began programming with Visual Basic (VB6), like many other malware newcomers at the time, before transitioning to Delphi. To hone his skills, he attempted to recreate numerous utilities from the 12Ghosts utilities suite, expressing disappointment when the 12Ghosts project development has ceased.
Ulysses’ icon, featuring a red ghost, was actually borrowed from one of the 12Ghosts utilities tools called “Shutdown.” This confirms that he drew significant inspiration from the 12Ghosts tool suite when designing the Ulysses malware.
After two years of active development and eleven released versions, the Beast project came to an abrupt halt in 2004. According to Tataye, he encountered legal issues with his project, which forced him to terminate the endeavour and start with something new. Fortunately, he stated that those legal issues have since been resolved.
As far as we know, Beast’s source code was never released to the public, and no one has claimed to possess it, despite the fact that the source code was promoted as being for sale on Tataye’s networks.
When asked if Tataye still kept in touch with past scene members, he revealed that he hadn’t been in contact with them since 2005, the year he left the scene. He also mentioned that he was somewhat of a loner even during his active years between 2002 and 2005. Tataye started his journey with a well-known malware development crew called “Fearless Crew” and recalled a few past members, including MF4, Ghirai, Read101, and Gobo. He left the crew after a year.
I’ll have the opportunity to discuss the Fearless Crew in more detail in a future article, as I’m still actively in touch with one of its past members and co-founder, Read101.
Following the end of Beast, Tataye transitioned to new commercial projects that are still maintained today. These projects continue to focus on the realm of cyber surveillance, but they are less susceptible to legal issues. This shift reflects a more legitimate approach to the field, allowing Tataye to leverage his expertise while operating “within the bounds of the law”.
Beast 2.07 was the last and best known version of the RAT, which is why I have chosen to detail this specific version in this article. We will first briefly discuss its user interface before diving into its most important features. At the end of the article, you will find a comprehensive flowchart of the Beast 2.07 user interface, designed to evoke nostalgia and provide a complete overview of the features it offered. This flowchart serves as a valuable resource for understanding the intricacies of Beast 2.07 and reflecting on its impact during its heyday.
A Word about its memorable User Interface
The Beast C2, along with its other components, was developed using Delphi (most likely Delphi 7), a programming language that was quite popular among malware authors during that time. Personally, I still have a soft spot for Delphi even today, although I must admit my disappointment with the direction it has taken and the notorious bugs plaguing its integrated development environment (IDE). Despite these drawbacks, Delphi remains an important part of the history of malware development and a language that many enthusiasts, including myself, continue to appreciate.
For those curious about the unique graphical interface of the Beast, it was rendered using Theme Engine, a set of components designed to patch common Delphi VCL graphical controls and enhance visual components. Theme Engine was developed by Eugene Kryukov from KSDEV, but its development ceased over a decade ago. Consequently, the component pack is now difficult to find and cannot be installed on modern Delphi versions (At least not without significant modifications to the code).
One of the most appealing features of Theme Engine was its ability to integrate Microsoft Style (msstyle) files to theme Delphi applications. This functionality offered a vast array of potential skins since Microsoft Skins Files were highly popular at the time.
Another example of a project that utilised the Theme Engine component set to create an aesthetically pleasing command and control interface is the DarkMoon RAT (see image below). Like Beast, DarkMoon RAT’s visually striking design can be attributed to the creative use of Theme Engine’s capabilities.
Another impressive feature of Theme Engine was its ability to update the HUE of embedded skins, further expanding the customisation options for users.
Beast provided the opportunity to switch from the default “Metal Luna” theme, which had a preset hue change (red buttons turned to light blue) reminiscent of the Windows XP era, to a variety of other embedded themes.
Users also had the option to completely disable the Theme Engine, allowing for even greater flexibility in customising the interface to suit their preferences.
Regarding the organisation of the layout, the author chose to arrange all components within a single window and view. This design approach was quite common at the time, with examples including ProRat, DarkMoon, Net-Devil, SubSeven, Optix, Y3K, and others.
This arrangement encompassed the server connection manager, server builder, C2 configurations, remote functionalities, and more.
However, unlike many competing programs, every component of the C2 was bundled into a single executable file (for example, SubSeven was shipped with the edit server and reverse connection handler in separate executables).
Remote functions are organised into categories: “Managers,” “Windows,” “Lamer Stuff,” “Fun Stuff,” “Server,” “Misc,” and finally, “Beast Stuff” These categories are presented in a button-to-fieldset fashion.
Beast Feature Tour
Beast RAT was an incredibly comprehensive Remote Access Trojan for its time. It was among the most complete and powerful RATs of that era, which explains its immense popularity during that period. Only a few other competitors offered as many features as Beast, setting it apart from the rest in terms of functionality and capabilities.
Beast offered an array of remote features, including but not limited to complete control of the remote file system (downloading, uploading, renaming, and deleting files or directories), the ability to view remote screens or webcams, control remote Windows registry, manage system processes or services, record keystrokes, recover saved passwords, and scan for open ports. It also featured Fun/Lame functions designed to disrupt or make fun of the target user, all without their knowledge.
To be even more stealthy, Beast employed well-known techniques such as process injection to hide behind legitimate processes. These techniques, which are now widely recognised, allowed Beast to be more discreet from the perspective of target user, as well as bypass certain firewalls that filtered unauthorised applications. If you’re interested in learning more about these evasion techniques employed by malware, check out www.unprotect.it, which delves deeper into the topic.
Beast was designed to be even more efficient by offering options to kill or deactivate a variety of security software from different vendors, including the default and relatively weak (at that time) Windows Firewall. Back then, with enough luck and depending on the security software in question, these measures proved to be quite effective in bypassing defenses and maintaining persistence on the target system.
Lastly, Beast featured an embedded file binder, the purpose of which was to package the malware within a legitimate-looking software, complete with an icon designed to inspire trust in the unsuspecting target user. This effectively turned the malicious tool into a Trojan, deceiving the user into believing they were using a genuine application while the malware operated silently in the background.
Writing this article and dissecting Beast, decades after its last release, has brought back so many fond memories and has motivated me to continue my journey in unearthing other epic Remote Access Trojans from the old scene. Delving into the history of these tools not only helps one to understand the evolution of malware but also sheds light on the creativity and ingenuity of their authors, who were pushing the boundaries of what was possible in the world of both Hacking and Programming.
The entire Beast 2.07 user interface flowchart is available for download in PDF and PNG formats, as well as interactively through my website at this link.
If you’re interested in seeing more articles about past malware that left a lasting impression, please let me know in the comments section or drop me a message on Twitter or via email.
Thank you for reading, and I hope you enjoyed this trip down memory lane as we explored the fascinating history of Beast.
I would like to express my gratitude to Fred Vries for his invaluable assistance and review. Additionally, I am grateful to Tataye for kindly addressing some of my questions.
Featured image / banner by Lois