A recently unleashed Trojan that combines ransomware, spyware and remote access in a single malicious package has been named after one of British comedian Sacha Baron Cohen’s characters, Borat.

While its name may bring smiles, the dangerous malware should be taken seriously, as it poses a significant threat to potential victims.

Analysis of the trojan

The Remote Access Trojan (RAT) was identified by experts at Cyble Research Labs. The team performed a malware analysis and uncovered that the new threat does not simply settle for conventional remote access capabilities – the Borat RAT trojan additionally includes both ransomware and spyware functionality

According to Cyble, the malicious software is being offered to interested parties and is on sale in underground cybercriminal forums. The Borat RAT has a centralised dashboard and comes packaged with feature modules, a builder and a dedicated server certificate.

The capabilities of Borat RAT are manifold and far reaching, and include both a ransomware encryption component and a decryptor, a keylogger and the option for malicious users to generate ransom notes of their own design. The malware also includes an optional feature for distributed denial-of-service (DDoS) that can help disrupt normal traffic of any server targeted.

Advanced design for malicious activities

The malware designers have added the acronym RAT to its title to hint at their product’s remote surveillance features. Borat RAT is capable of remotely recording a device’s audio by capturing webcam footage or compromising its microphone. It also contains a wide range of remote-control possibilities that include hijacking a keyboard or mouse, stealing screen captures, tampering with a machine’s system settings and deleting or stealing data files if required.

The Borat RAT malware also makes use of process hollowing to compromise legitimate machine processes on a target device, and it can also activate reverse proxies. As a result, the malware can remain safely under the radar of security scans when it is conducting malicious activities.

The trojan has also been designed to efficiently harvest data. This includes not just confidential files, but also information on the machine’s operating system (OS). Once it has obtained the data it requires, it then sends it to the threat operator behind the attack via a command-and-control server.

An additional capability of the Borat RAT is its ability to zero in on detailed browser information – for example, cookies, bookmarks, browser histories, favourited and useful account credentials it can acquire for deeper access or to inform social engineering attacks. Browsers like the Chromium-based version of Microsoft Edge and Google’s Chrome are both impacted. Furthermore, Discord tokens can also be stolen by the malware.

Researchers at Cyble commented that the trojan can also perform other malicious processes to disturb or disrupt its victims. These include playing audio, switching out mouse buttons, hiding or showing a desktop taskbar, freezing a mouse or tablet stylus, tampering with lights on webcams, switching off monitors and more. The team at Cyble intends to continue to monitor the Borat RAT and record its activities to inform the community.

Protection for your enterprise

Help protect your enterprise from all sorts of malware with our easy-to-use secure platform, that will scan attachments to ensure there isn’t any malware before you can access it, giving you the peace of mind that you won’t breach your systems. You can get in contact with us to learn more, get a free 14-day trial or a demonstration of the platform.