Borat RAT Malware

The cybersecurity firm, Cyble researchers have found a new remote access trojan (RAT) dubbed Borat, which allows infected systems to be controlled remotely by the threat actors. 

While this new trojan has been detected on darknet markets where the developers of this trojan offer several easy-to-use features to users for perming illicit activities or tasks like:-

  • DDoS attacks
  • UAC bypass
  • Ransomware deployment

To perform specific features like the above ones that we have mentioned, this new trojan, Borat authorizes its operators to assemble the binary of the malware.

Key Features & Abilities of Borat

This trojan enables its operators to take over the control of the following of their targets:-

  • System
  • Hang the System
  • Swap Mouse Buttons
  • Keyboard
  • Access files
  • Network points
  • Enable/Disable webcam light
  • Hide any signs of their presence
  • Remove traces
  • Play Audio
  • Show/hide the Desktop
  • Blank screen
  • Show/hide the taskbar
  • Hold Mouse
  • Monitor Off 

By creating a small payload that includes precisely what the attacker needs for highly targeted attacks, the malware allows its operators to customize the option of how it is compiled.

It was discovered and analyzed by the security analysts at Cyble, who identified Borat in the wild and described its function in a technical study in which it was discovered that Borat works on a simple level.

Here in the below image, you can see all the functionalities of Borat:-

Modules used by Borat

Each module in the RAT implements a specific functionality, and that’s why the structure is modular. However, below we have mentioned all the modules used by Borat:-

  • Keylogger: Using the computer’s “keylogger.exe” module, the attacker is able to record and store the keystrokes that are performed on the victim’s machine.
  • Ransomware: The ransomware module delivers a payload to the victim’s computer that encrypts files and demands a ransom in exchange for the release of files.
  • DDOS: A DDOS attack can be carried out with the help of this module.
  • Audio Recording: In order to record audio from a computer, the module checks to see if the victim’s computer has a microphone. When it finds a microphone connected, it records audio and saves it in the file micaudio.wav.
  • Webcam recording: Using a webcam, you can record video from this module.
  • Remote desktop: Operatives can perform a variety of operations using this module, such as manipulating files and executing code.
  • Reverse proxy: A reverse proxy is set up in this module so that the identity of the remote operator cannot be revealed by the proxy server.
  • Device information: The purpose of this module is to gather basic information about your system.
  • Process hollowing: It injects malware into legitimate processes through the process hollowing method.
  • Credential stealing: Chromium-based web browsers and this module allow taking account credentials.
  • Discord token stealing: This module enables the infected systems to steal Discord tokens from their Discord servers.

It can perform a range of malicious activities on a device as a result of its above features, which make Borat a potent RAT, spyware, and ransomware.

However, the threat actors usually distribute these tools through executables that are laced with worms and Trojans or disguised as cracks or mods for games and apps.

That’s why it’s strongly recommended to make sure that you’re not downloading anything from unknown or untrustworthy sources, including unreliable torrent sites or suspicious web pages.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.