A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment.
As a RAT, Borat enables remote threat actors to take complete control of their victim’s mouse and keyboard, access files, network points, and hide any signs of their presence.
The malware lets its operators choose their compilation options to create small payloads that feature precisely what they need for highly tailored attacks.
Borat was analyzed by researchers at Cyble, who spotted it in the wild and sampled the malware for a technical study that revealed its functionality.
The RAT performs the following activities to disturb the victims: Play Audio, Swap Mouse Buttons, Show/hide the Desktop, Show/hide the taskbar, Hold Mouse, Enable/Disable webcam light, Hang System, Monitor Off, Blank screen, etc.
It's uncertain if the Borat RAT is sold or freely shared among cybercriminals, but it comes in the form of a bundle that includes a builder, malware modules, and a server certificate.
The features of the trojan, each having its own dedicated module, include the following:
- Keylogging – monitor and log key presses and store them in a txt file
- Ransomware – deploy ransomware payloads onto the victim’s machine and automatically generate a ransom note through Borat
- DDoS – direct garbage traffic to a target server by using the compromised machine’s resources
- Audio recording – record audio via the microphone, if available, and store it in a wav file
- Webcam recording – record video from the webcam, if available
- Remote desktop – start a hidden remote desktop to perform file operations, use input devices, execute code, launch apps, etc.
- Reverse proxy – set up a reverse proxy to protect the remote operator from having their identity exposed
- Device info – gather basic system information
- Process hollowing – inject malware code into legitimate processes to evade detection
- Credential stealing – steal account credentials stored in Chromium-based web browsers
- Discord token stealing – steal Discord tokens from the victim
- Other functions – disrupt and confuse the victim by playing audio, swapping the mouse buttons, hiding the desktop, hiding the taskbar, holding the mouse, turning off the monitor, showing a blank screen, or hanging the system
As noted in Cyble’s analysis, the above features make Borat essentially a RAT, spyware, and ransomware, so it’s a potent threat that could conduct a variety of malicious activity on a device.
All in all, even though the RAT's developer decided to name it after the main character of the comedy movie Borat, incarnated by Sacha Baron Cohen, this malware is no joke at all.
By digging deeper trying to find the origin of this malware, Bleeping Computer found that the payload executable was recently identified as AsyncRAT, so it's likely that its author based his work on it.
Typically, threat actors distribute these tools via laced executables or files that masquerade as cracks for games and applications, so be careful not to download anything from untrustworthy sources such as torrents or shady sites.
Listed below are some essential cybersecurity best practices that create the first line of control against attackers.
- Don’t keep important files in common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
The Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a significant threat to any compromised system. With the capability to record audio and control the webcam as well as conduct traditional info stealing, Borat is clearly a threat to keep an eye on.
The added functionality to carry out DDOS attacks makes this an even more dangerous RAT that organizations and individuals need to look out for. The Cyble Research Team is closely monitoring the RAT’s actions and will keep informing our clients and people worldwide.