Borat RAT - Malicious malicious code in a triple pack
by Tina Siering
What is Borat RAT?
Borat is a remote access Trojan (RAT) that enables remote access to infected IT systems. Borat can be used for various attacks, for example, to infiltrate ransomware, to record keystrokes and mouse movements, to carry out DDoS attacks, or to gain admin privileges through user account control bypassing. Borat RAT is an extremely flexible tool that can be customized by cybercriminals to meet their specific needs.
Borat is offered via hacking boards and forums on the darknet. Security researchers therefore assume that the tool's range of functions will be significantly expanded in the near future. It is still unclear whether the tool will be sold or distributed freely on the darknet.
What is striking about Borat RAT are functions that cyber attackers can use not only to spy on and blackmail their victims, but also to completely confuse them. For example, the tool allows swapping the mouse buttons, hiding the taskbar, turning off the screen or completely "hanging" the system. Playing audio files is also part of Borat's repertoire.
How does the dangerous malware spread?
Borat is preferably spread by cyber criminals via links or attachments in emails or even via websites. The popular distribution via emails still works frighteningly efficiently. Hidden in file attachments that look harmless at first glance, for example in MS Word documents, in ZIP archives or in the form of executable files, the malware activates after an initial mouse click by the recipient. On websites, Borat hides behind links that lure with the download of free software. Borat also distributes itself diligently on P2P networks or file hosters - and waits for unwary users.
What kind of damage can hackers do with Borat RAT?
Even a "classic" RAT malware can cause massive damage to the compromised systems. The remote access Trojans allow cyber attackers to take complete control over a compromised system. Once the malware is active on the computer, the attackers can access network resources, files and connected peripheral devices such as keyboard, mouse or webcam. This way, data can be read, passwords can be tapped and users can even be locked out of their own system. However, Borat RAT goes one - or rather two - steps further. Because in addition to the RAT functions, Borat also offers the possibility to perform DDoS attacks and to be used as ransomware for cyber extortion.
For cybercriminals, Borat RAT offers an extensive construction kit that allows customizing the malware for each hacker's individual needs: the Borat package includes a builder, various modules and a server certificate. Every cybercriminal can thus put together "his" Borat RAT individually with little effort and at low cost. Via a dashboard, the cybercriminals can then execute RAT activities, launch DDoS attacks or smuggle ransomware onto compromised systems and thus launch extortion attempts. Borat can steal Discord tokens, inject malicious code into processes, and even deeply penetrate victims' "analog" privacy. This is because effortlessly, a cyber attacker can remotely turn on the webcam and microphone of an affected computer and record the activities in front of it.
The remote desktop function offered by Borat RAT can also be extremely dangerous. Cybercriminals are thus able to delete or steal stored data, record and forward login credentials to online accounts or sharepoints. In a very short time, cybercriminals can steal or destroy valuable, highly sensitive company data, make workflows impossible or even bring the entire (digital) day-to-day business to a standstill by paralyzing the entire system.
In summary, Borat RAT can cause the following damage, among others:
- Enable remote control of the entire IT system by cyber attackers
- Delete data, steal or record activities in front of the webcam
- carry out DDoS attacks
- Introduce ransomware
How organizations protect themselves from the new Borat RAT
As mentioned above, Borat RAT is a fairly new malware, the exact functionality of which is not yet known conclusively. However, experts expect that the malware will become an extremely popular tool for cyber criminals in the near future and will be supplemented with new functionalities accordingly. It is therefore all the more important for companies, organizations and also private users to prepare for Borat RAT today and to implement basic measures in order to provide the malware with as little attack surface as possible.
In general, it is important to identify existing vulnerabilities and plug security gaps. The use of reliable antivirus software is mandatory, as is the regular updating and patching of operating systems and software in use. Logon data of all kinds should be secured with multi-level authentication procedures, and data should be regularly backed up just in case. Security solutions for e-mail programs can be used to classify and filter e-mails with malicious attachments before they are forwarded to unintended users. Speaking of users, the "human vulnerability" is still one of the most popular entry points for hackers. Whether it's social engineering or forged e-mails: in the end, all malware requires an initial launch by a user. If employees are sensitized in regular training sessions to the dangers that can arise from ignorance and cluelessness, a big step has been taken towards cyber resilience for the entire company.
With ACD as a Managed Detection and Response (MDR) solution, Allgeier secion offers a further, active security layer for companies, which once again significantly increases the protection factor. Actively respond instead of just reacting: Allgeier secion's Active Cyber Defense service differs significantly from other Incident Detection & Response solutions through relevant features from Threat Hunting technology. Among other things, ACD offers:
- Continuous monitoring of all systems within a network, including laptops, cell phones, tablets, servers or network devices.
- Protection without installing agents on clients: ACD checks at the network level whether systems are compromised or communicating with C&C servers
- Reliable detection of conspicuous communication behavior, resulting in fast, targeted isolation and elimination of malware
Appropriate handling of security incidents such as a compromise by Borat RAT requires additional detailed policies and processes in order to respond quickly and accurately in the event of an emergency. With Allgeier secion's IR Readiness Program, companies receive comprehensive support in providing the necessary tools and tailored recommendations for action.
Conclusion
Borat RAT has the potential to grow into one of the most extremely dangerous malware in the coming weeks and months. The fairly new malware already offers a wide portfolio of attack methods - combining the insidiousness of RAT malware with the brute force of DDoS attacks and spicing it all up with ransomware that makes costly extortion attempts possible. Currently, security researchers have not yet fully analyzed Borat, and the distribution channels are only known in rudimentary form. However, it is all the more important that organizations deal with the new threat and react with appropriate measures. With ACD as a Managed Detection and Response (MDR) solution and supplemented by the IR-Readiness Program, Allgeier secion offers tailored, cost-effective security solutions that also provide small and medium-sized enterprises without their own IT security teams or in-house SIEM with the urgently needed protection against cyber attacks.