Security researchers reported a new malware strain, capable of distributing ransomware and performing DDoS attacks. Called Borat after the infamous mockumentary movie, the malware is a RAT, or a Remote Access Trojan, and it provides the two activities alongside the typical RAT features.
The Borat RAT malware also provides a dashboard to threat actors to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim’s machine, said Cyble researchers.
Borat RAT: Capabilities and Modules
The Borat RAT offers keylogging capabilities in its keylogger.exe module:
The module “keylogger.exe” is responsible for monitoring and storing the keystrokes in the victim’s machine. The below image shows the keyboard-related APIs used by the RAT for keylogging purposes. The captured keystrokes are saved in a file called “Sa8XOfH1BudXLog.txt” for exfiltration.
The malware has the capability to deliver a ransomware payload to the compromised machine which will encrypt the files and demand a ransom. The malware also has the capability to create a ransom note.
The RAT also has a module designed to disrupt the normal traffic of a targeted server by performing a DDoS (Distributed Denial of Service) attack.
Audio and Webcam Recording
The trojan also provides spyware functionality, as it is capable of recording audio and webcam activities. In terms of audio capturing, it checks if a microphone is present, and in case it locates a connected microphone, Borat RAT records all audio and saves it in a file named micaudio.wav.
The malware can record video through any webcam discovered on a compromised system. If it detects a webcam, it starts recording the video.
Remote Desktop Capabilities
The Remote Desktop option allows cybercriminals “to perform activities such as controlling the victim’s machine, mouse, keyboard, and capturing the screen. Controlling the victim’s machine can allow TAs to perform several activities such as deleting critical files, executing ransomware in the compromised machine, etc,” the report said.
Other capabilities Borat RAT has include being able to reverse proxy, collect device information, perform process hollowing, steal browser credentials and Discord credentials.
This new malware strain is a “potent and unique combination” and is a triple threat to victims worldwide (ransomware, spyware, and RAT). The added DDoS functionality makes it even more dangerous, and an interest to a larger number of cybercriminals.
To avoid being victimized by this (or other) malware, follow the general “PC hygiene” tips, including regular updates, backup of important files (to avoid ransomware damage), and strong passwords.