US Cert Alerts | Research

Apr 5, 2022

Coverage Added for Versatile Triple Threat – Borat RAT

Researchers at Cyble have discovered a new, highly versatile remote access trojan (RAT) called “Borat”. What makes this RAT unique from other RATs is the wide range of services it offers threat actors. Its features include the ability to conduct distributed denial-of-service (DDoS) attacks, user account control (UAC), and ransomware deployment.

The Borat RAT enables attackers to take control of their victim’s mouse and keyboard, access files, and hide signs of their presence. The RAT offers attackers a full dashboard to perform malicious activities including the option to choose their compilation options to create small payloads that allow them to create highly customized attacks.

Researchers have dubbed the Borat RAT a triple threat because of its unique capabilities of being a RAT, spyware, and ransomware. Below is a list of capabilities offered by the Borat RAT:

  • Keylogging – Monitors and stores victim’s keystrokes
  • Ransomware – deliver a payload to the victim’s machine for encrypting files and demanding ransom
  • DDOS – disrupt regular/normal traffic by initiating a denial-of-service attack
  • Record Audio – check if a microphone is present on the victim machine and record and save all audio
  • Capture Video – check if a webcam is present in the victim machine and begin recording video
  • Remote Desktop – control the victim’s mouse, keyboard to perform activities like deleting files, executing ransomware payloads
  • Reverse Proxy – anonymously perform RAT activities allowing the attacker to hide their identity when communicating with compromised servers
  • Collect Device Information – collect details about the victim machine
  • Browser Credential Stealing – steal cookies, history, bookmarks, saved login credentials from multiple installed browsers

Attacks leveraging any of the individual capabilities of Borat RAT can be disrupting to an organization, but if the attacker customizes their attack by leveraging multiple capabilities, it can potentially cause a lot of damage to the organization. Given the unique nature of Borat RAT, it is a threat not to be taken lightly.

What you should do now

The Borat RAT can be easily leveraged by threat actors to perform a wide variety of targeted malicious activities on a victim’s computer. We understand the seriousness of this threat and have updated our Hacker’s Playbook with 6 new attacks that allow you to test your security controls against the Borat RAT and ensure that your organization does not fall victim to this triple threat. Below is a list of the newly added attacks:

  • #6969 – Pre-execution phase of BoratRat_UPX malware (Host-Level)
  • #6970 – Write BoratRat_UPX malware to disk (Host-Level)
  • #6971 – Transfer of BoratRat_UPX malware over HTTP/S (Lateral Movement)
  • #6972 – Transfer of BoratRat_UPX malware over HTTP/S (Infiltration)
  • #6973 – Email BoratRat_UPX malware as a ZIP attachment (Lateral Movement)
  • #6974 – Email BoratRat_UPX malware as a ZIP attachment (Infiltration)

Additional recommendations to ensure protection:

  • Do not store critical files in commonly accessed locations including Desktop, My Documents, etc.
  • Change passwords regularly and enforce multi-factor authentication
  • Do not open emails and links from untrusted sources
  • Regularly perform security control validation using a BAS tool to ensure their efficacy against advanced threats

Get the latest
research and news