Borat, a new remote access trojan (RAT) with easy-to-use capabilities for DDoS attacks, UAC bypass, and ransomware deployment, has debuted on darknet marketplaces. Borat, as a RAT, allows remote threat actors to take total control of their victim’s mouse and keyboard, manipulate network points, access files, and mask their presence.
The malware allows its operators to customize their compilation choices to build compact payloads with only the features they want for highly targeted attacks. Borat was discovered in the wild by Cyble researchers, who sampled the malware for a technical investigation that demonstrated its operation.
It’s not clear if the Borat RAT is marketed or freely distributed among hackers, but Cyble claims it comes as a bundle with a builder, server certificate, and malware modules. The trojan has the following functionalities, each of which has its own specialized module:
- Keylogging – Keep track of keystrokes and save them in a text file.
- DDoS – Send junk traffic to a targeted server using the resources of the infected system.
- Ransomware – Deliver ransomware payloads to the victim’s workstation and generate a ransom message automatically.
- Webcam Recording – If a webcam is accessible, record video from it.
- Audio Recording – If a microphone is available, record audio and save it as a wav file.
- Device Info – Collect basic system information.
- Remote Desktop – Launch a secret remote desktop to perform file operations, execute code, access input devices, launch applications, etc.
- Reverse Proxy – Set up a reverse proxy to conceal the remote operator’s identity from being revealed.
- Credential Stealing – Steal account details saved in web browsers based on the Chromium operating system.
- Process Hollowing – Inject malicious code into legitimate processes to avoid detection.
- Discord Token Stealing – Steal the victim’s Discord tokens.
- Other Functionalities – Disturb and confuse the target by playing audio, shifting mouse buttons, hiding the taskbar, flashing a blank screen, holding the mouse, concealing the desktop, turning off the monitor, or hanging the system.
According to Cyble’s study, Borat is effectively a RAT, spyware, and ransomware, so it’s a formidable threat that can perform a range of destructive activities on a system. Overall, even though the RAT’s creator chose the name Borat after the main character in the comedy film Borat, played by Sacha Baron Cohen, the malware is no laughing matter.
As part of the investigation into the malware’s origins, it was discovered that the payload executable was recently recognized as AsyncRAT, implying that its programmer based his work on it. Threat actors typically disseminate these tools through laced executables or files masquerading as cracks for games and programs, so avoid downloading anything from untrustworthy sources like torrents or dodgy websites.