Borat RAT, a new RAT that performs ransomware and DDoS attacks

Pierluigi Paganini April 04, 2022

Cyble researchers discovered a new remote access trojan (RAT) named Borat capable of conducting DDoS and ransomware attacks.

Researchers from threat intelligence firm Cyble discovered a new RAT, named Borat, that enables operators to gain full access and remote control of an infected system.

Unlike other RATs, the Borat RAT provides Ransomware and DDOS services to attackers expanding their capabilities.

The Borat RAT allows its operators to compile the malware binary for performing specific features, including DDoS and ransomware attacks.

borat rat

Cybler experts reported that Borat RAT comes as a package which includes builder binary, several modules, a server certificate, and more.

Files in the Borat RAT archive
Files in the Borat RAT archive (Cyble)

The RAT has a modular structure, each module implements a specific functionality. Below a list of the modules analyzed by Cyble:

  • Keylogger – The module “keylogger.exe” is responsible for monitoring and storing the keystrokes in the victim’s machine. 
  • Ransomware – This module delivers a ransomware payload to the victim’s machine for encrypting users’ files as well as for demanding a ransom. 
  • DDOS – This module is used to perform a DDOS attack.
  • Audio Recording – The module can record the audio of a computer. Initially, it checks if a microphone is present in the victim’s machine. If it can find a connected microphone, the RAT records all audio and saves it in a file named micaudio.wav.
  • Webcam recording – This module records video from the webcam, if available
  • Remote desktop – This module sets up a hidden remote desktop to allow operators to perform multiple operations including file manipulation and code execution.
  • Reverse proxy – This module sets up a reverse proxy to protect the remote operator from having their identity exposed
  • Device information – This module gathers basic system information
  • Process hollowing – This module injects malicious code into the legitimate processes using the process hollowing technique.
  • Credential stealing – This module allows stealing account credentials stored in Chromium-based web browsers.
  • Discord token stealing – This module allows stealing Discord tokens from the infected systems.

The BORAT RAT is also able to perform the following activities to disturb the victims: Play Audio, Swap Mouse Buttons, Show/hide the Desktop, Show/hide the taskbar, Hold Mouse, Enable/Disable webcam light, Hang System, Monitor Off, Blank screen, etc.     

“The Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it. With the capability to record audio and control the webcam and conduct traditional info stealing behavior, Borat is clearly a threat to keep an eye on. The added functionality to carry out DDOS attacks makes this an even more dangerous threat that organizations and individuals need to look out for.” concludes Cyble. “The Cyble Research Team is closely monitoring the RAT’s actions and will keep informing our clients and people worldwide.”

Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and other of your choice.

To nominate, please visit: https://forms.gle/4D4PygUVcNxFQ6iFA

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment