A new remote access trojan (RAT) dubbed “Borat” doesn’t come with many laughs but offers bad actors a menu of cyberthreats to choose from.
RATs are typically used by cybercriminals to get full control of a victim’s system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble.
“The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim’s machine,” the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.
Borat – named after the character made famous by actor Sacha Baron Cohen in two comedy films – comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.
It’s the other options that make it more interesting. Bad actors can use the malware to deliver ransomware that will encrypt files on a victim’s system and demand a ransom, including the ability to create a ransom note on the targeted machine. There also is code in Borat that will decrypt the files in the system once the ransom is paid.
Additionally, the RAT includes code for launching a DDoS attack, in which a website or server is overwhelmed by a wave of messages, slowing down responses and services to legitimate users and sometimes forcing the site to shut down. Often it takes paying the threat actor money to shut off the DDoS attack.
On top of that, there is a range of remote surveillance capabilities that enable hackers to spy on the system and its user, including a keylogger that monitors and stores keystrokes from a victim’s machine. They keystrokes are saved in a file and later exfiltrated from the system.
Borat will determine if a connected microphone is included on the system and, if so, will record the audio from the computer, with the recorded audio stored in another file named “micaudio.wav.” In similar fashion, if a webcam is found on the system, the malware can start recording from the camera.
In addition, there is a remote desktop function.
“This malware takes the remote desktop of the infected machine,” the researchers wrote. “It then gives the Threat Actor (TA) the necessary rights to perform activities such as controlling the victim’s machine, mouse, keyboard, and capturing the screen. Controlling the victim’s machine can allow TAs to perform several activities such as deleting critical files, executing ransomware in the compromised machine, etc.”
The RAT grabs information from the victim’s machine, such as the name and version of the operating system and the model of the machine, and will steal cookies, bookmarks and saved login credentials from systems running Chrome and Chromium-based Microsoft Edge browsers.
The malware also steals Discord tokens. The token and the collected information is then sent to a compromised command-and-control (C2) server.
Borat uses process hollowing, a technique where the threat actors can inject malicious code into legitimate processes on the system. There also is reverse proxy code, which enables the RAT to perform its work anonymously and the hackers to hide their identity while communicating with the C2 servers.
To further rattle victims, Borat can run such tasks as playing audio, showing and hiding the desktop or taskbar, enabling or disabling the webcam light, turning off the monitor or showing a blank screen.
The Cyble researchers wrote that Borat is a “potent and unique combination” of threats, “making it a triple threat to any machine compromised by it. With the capability to record audio and control the webcam and conduct traditional info stealing behavior, Borat is clearly a threat to keep an eye on.” ®