A new Remote Access Trojan (RAT) has been identified that makes it easy for threat actors to conduct ransomware and DDoS attacks. The malware – dubbed Borat – takes its name from the character created by Sasha Baron Cohen and was discovered by researchers at the cybersecurity firm Cyble following attacks in the wild using the malware.
Their analysis of the Borat RAT revealed it has extensive features. Thoe features are delivered through separate modules, which makes it easy for threat actors to create small malware payloads that only provide the capabilities they need for their campaigns.
There is a keylogging module, a ransomware feature that makes it simple to deploy ransomware and generate ransom notes, a DDoS feature, and a reverse proxy to protect the operator of the malware and allow anonymous communication. The malware allows operators to take full control of the mouse, microphone, and webcam and the malware also has remote desktop capabilities.
The malware can steal credentials from Chromium-based browsers, Discord tokens, and inject malicious code into legitimate processes to evade detection. The malware can also be used to cause problems for users, such as swapping mouse buttons, hiding the taskbar and desktop, displaying a blank screen, crashing the device, turning off monitors, playing audio files, and more.
Cyble researchers said the malware is provided as a package that includes the builder, various modules, and a server certificate, and there is a dashboard through which users of the malware can perform their malicious activities. It is not clear at this stage if the malware is being sold to threat actors or if it is being distributed among threat actors for free.
RATs can be distributed in a variety of ways, including phishing emails, packaging the malware with fake/pirated software installers and cracks/product activators, and through malicious websites with traffic directed to the sites through malvertising. To prevent attacks, cybersecurity best practices should be adopted, an email security solution and antivirus software should be implemented, strong passwords should be set with multi-factor authentication used, and also consider blocking downloads of risky file types and access to torrents sites with a web filter. It is also important to regularly back up data and to store the backups offline to ensure data recovery is possible in the event of a ransomware attack.
“The Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it,” explained Cyble. “Borat is clearly a threat to keep an eye on.”