Attackers are using a newly released remote access trojan (RAT) to spread ransomware & distributed denial of service (DDoS) in addition to the traditional RAT function of backdooring victims’ systems.
This new malware type extends the function of typical trojans with advanced functionality & a series of modules for launching several types of threat activity.
Sacha Baron Cohen
Researchers at Cyble Research Labs discovered the RAT, which they named Borat RAT because it uses a photo of Sacha Baron Cohen, the comedian who created & portrayed the fictional character Borat in a popular series of mockumentary films.
Borat RAT, however, is not “verrry nice” contrary to 1 of the most popular catchphrases of the character for which it is named.
Dashboard
It provides a range of advanced features as well as a dashboard for threat players to perform various malicious activities beyond what other RATs can do, “further expanding the malware capabilities,” researchers stated in a blog post about the malware.
“The Borat RAT is a potent & unique combination of remote-access trojan, spyware & ransomware, making it a triple threat to any machine compromised by it,” according to the post.
Launchpad
As described by Cyble Research Labs, the RAT acts like a framework from which threat players can launch their cyber-criminal activities, providing a dashboard to perform typical RAT activities as well as an option to compile the malware binary for performing DDoS & ransomware attacks on the victim’s machine.
“Interestingly, the RAT has an option to deliver a ransomware payload to the victim’s machine for encrypting users’ files as well as for demanding a ransom,” researchers stated.
“Like other ransomware, this RAT also has the capability to create a ransom note on the victim’s machine.”
Malware Operators
The RAT could have been designed to appeal to new malware operators, as cyber-criminals “often don’t know the best way to monetise their victims until they have been in an environment awhile,” one security professional observed.
“Malware authors are increasingly developing feature sets & capabilities that allow flexibility on the part of the attacker,” John Bambenek, Principal Threat Hunter at Netenrich, a digital IT & security operations company, wrote.
However, often these types of tools “tend to be used by less sophisticated criminals, or those pretending to be less sophisticated who may find it difficult to succeed at ransomware at scale,” he added.
Features & Modules
Cyble researchers analysed a number of modules of the Borat RAT & found that its functionality is varied.
As mentioned, there is a ransomware module that can deliver a ransomware payload to the victim’s machine for encrypting users’ files & demand a ransom, as well as a module for performing a DDoS attack.
The RAT also includes the following functionality in a series of individual modules:
- A keylogger that can monitor & store the keystrokes in the victim’s machine;
- Audio recording that checks if a microphone is present & will record all audio & save it in a file named micaudio.wav;
- Webcam recording that records video is a webcam is present in the victim’s machine;
- Remote desktop sessions that can allow threat players the necessary rights to control the victim’s machine, mouse, keyboard & screen capture;
- Code to enable reverse proxy for performing RAT activities anonymously;
- A module that collects information on a victim’s machine, including OS name/ version, system model, etc;
- Process hollowing that injects malicious code into the legitimate processes;
- Credential stealing that can steal cookies, history, bookmarks, & saved login credentials from chromium-based browsers like Google Chrome & Edge; &
- A module that steals Discord tokens & sends the stolen token information to the attacker.
Remote Activities
Remote activities the RAT can perform to disturb victims include play audio, swap mouse buttons, show/hide the desktop, show/hide the taskbar, & hold the mouse, among others.
The Cyble Research Team stated it will continue to monitor the RAT’s actions & will update clients & the security community as the situation evolves.
Mitigate Risk
In the interim, organisations can mitigate risk by performing some common security precautions, e.g. avoiding the storage of important files in common locations such as the Desktop & My Documents; using strong passwords & enforcing multi-factor authentication wherever possible; & turning on the automatic software update feature on all connected devices wherever possible & pragmatic, researchers advised.
Individual users also should use a reputed antivirus & internet security software package on all connected devices & should refrain from opening untrusted links & email attachments without verifying their authenticity, they explained.