New Borat Remote Access Malware Is No Joke


A new remote access trojan (RAT) named Borat has appeared on darknet markets, providing easy-to-use functionality for conducting DDoS attacks, bypassing UAC, and deploying ransomware.

As a RAT, Borat allows remote hackers to take full control of their victim’s mouse and keyboard, access files, network points, and hide any sign of their presence.

The malware lets its operators choose their compilation options to create small payloads containing precisely what they need for highly customized attacks.

Borat was analyzed by Cyble researchers, who spotted it in the wild and sampled the malware for technical study which revealed its functionality.

Some of the features of Borat
Some of the features of Borat (Cyble)

Extended Features

It’s unclear if the Borat RAT is sold or freely shared among cybercriminals, but Cycle says it comes as a package that includes a builder, malware modules, and a server certificate.

Files in the Borat RAT Archive
Files in the Borat RAT Archive (Cyble)

The features of the Trojan, each with its own dedicated module, include the following:

  • Keylogging – monitor and record key presses and store them in a txt file
  • Ransomware – deploy ransomware payloads on victim machine and automatically generate ransom note via Borat
  • DDoS – direct unwanted traffic to a target server using the resources of the compromised machine
  • Audio recording – record audio through the microphone, if available, and store it in a wav file
  • Webcam recording – record webcam video, if available
  • Remote office – start a hidden remote desktop to perform file operations, use input devices, run code, launch applications, etc.
  • Reverse Proxy – set up a reverse proxy to protect the remote operator against the disclosure of his identity
  • Device information – gather basic information about the system
  • Hollowing process – inject malicious code into legitimate processes to evade detection
  • Theft of credentials – steal account credentials stored in Chromium-based web browsers
  • Discord token theft – steal Discord tokens from the victim
  • Other functions – disturb and confuse the victim by playing audio, swapping mouse buttons, hiding desktop, hiding taskbar, holding mouse, turning off monitor, displaying blank screen or suspending the system
More Borat Features
More Borat Announced Features (Cyble)

As stated in Cyble’s analysis, the above features make Borat essentially a RAT, spyware and ransomware, so it is a potent threat that could perform various malicious activities on a device.

All in all, even though the developer of the RAT decided to name it after the main character of the Borat comedy, played by Sacha Baron Cohen, the malware is no joke at all.

While digging deeper to try to find the origin of this malware, Bleeping Computer discovered that the payload executable was recently identified as AsyncRAT, so it is likely that its author based his work on it.

Typically, hackers distribute these tools via executables or files that masquerade as cracks for games and apps. So be careful not to download anything from untrustworthy sources like torrents or shady sites.


About Author

Comments are closed.