Attackers are using a newly released remote access trojan (RAT) to spread ransomware and distributed denial of service (DDoS) — in addition to the traditional RAT function of backdooring victims’ systems.
Researchers at Cyble Research Labs discovered the RAT, which they dubbed Borat RAT because it uses a photo of Sacha Baron Cohen, the comedian who created and portrayed the fictional character Borat in a popular series of mockumentary films.
Borat RAT, however, is not “verrry nice” — contrary to one of the most popular catchphrases of the character for which it’s named. It provides a range of advanced features as well as a dashboard for threat actors to perform various malicious activities beyond what other RATs can do, “further expanding the malware capabilities,” researchers said in a blog post about the malware.
“The Borat RAT is a potent and unique combination of remote-access trojan, spyware and ransomware, making it a triple threat to any machine compromised by it,” according to the post.
Attack Launchpad
As described by Cyble Research Labs, the RAT acts like a framework from which threat actors can launch their cybercriminal activities, providing a dashboard to perform typical RAT activities as well as an option to compile the malware binary for performing DDoS and ransomware attacks on the victim’s machine.
“Interestingly, the RAT has an option to deliver a ransomware payload to the victim’s machine for encrypting users’ files as well as for demanding a ransom,” researchers said. “Like other ransomware, this RAT also has the capability to create a ransom note on the victim’s machine.”
Indeed, the RAT could have been crafted to appeal to fledgling malware operators, as cybercriminals “often don’t know the best way to monetize their victims until they have been in an environment awhile,” one security professional observed.
“Malware authors are increasingly developing feature sets and capabilities that allow flexibility on the part of the attacker,” John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, wrote in an email to Threatpost.
The good news is, often these types of tools “tend to be used by less sophisticated criminals–or those pretending to be less sophisticated — who may find it difficult to succeed at ransomware at scale,” he added.
Specific Features and Modules
Cyble researchers analyzed a number of modules of the Borat RAT and found that its functionality is varied. As mentioned, there is a ransomware module that can deliver a ransomware payload to the victim’s machine for encrypting users’ files and demand a ransom, as well as a module for performing a DDoS attack.
The RAT also includes the following functionality in a series of individual modules:
- A keylogger that can monitor and store the keystrokes in the victim’s machine;
- Audio recording that checks if a microphone is present and will record all audio and save it in a file named micaudio.wav;
- Webcam recording that records video is a webcam is present in the victim’s machine;
- Remote desktop sessions that can allow threat actors the necessary rights to control the victim’s machine, mouse, keyboard and screen capture;
- Code to enable reverse proxy for performing RAT activities anonymously;
- A module that collects information on a victim’s machine, including OS name/ version, system model, etc;
- Process hollowing that injects malicious code into the legitimate processes;
- Credential stealing that can steal cookies, history, bookmarks, and saved login credentials from chromium-based browsers like Google Chrome and Edge; and
- A module that steals Discord tokens and sends the stolen token information to the attacker.
Remote activities the RAT can perform to disturb victims include: play audio, swap mouse buttons, show/hide the desktop, show/hide the taskbar, and hold the mouse, among others.
The Cyble Research Team said it will continue to monitor the RAT’s actions and will update clients and the security community as the situation evolves.
In the meantime, organizations can mitigate risk by performing some common security precautions, such as avoiding the storage of important files in common locations such as the Desktop and My Documents; using strong passwords and enforcing multi-factor authentication wherever possible; and turning on the automatic software update feature on all connected devices wherever possible and pragmatic, researchers advised.
Individual users also should use a reputed antivirus and internet security software package on all connected devices, and should refrain from opening untrusted links and email attachments without verifying their authenticity, they said.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.