Borat RAT: New Malware Combines Remote Access, Spyware and Ransomware

Researchers from Cyble Research Labs have discovered a new malware called Borat. It is a Remote Access Trojan (RAT) that is supposed to allow attackers to control a system remotely. However, Borat has been additionally enriched with functions of a spyware and a ransomware.

According to the researchers’ analysis, the malware, named after a character by comedian Sacha Baron Cohen, is currently being offered for sale in underground forums. According to the report, it is operated via a central dashboard. The scope of delivery includes a builder, the individual function modules and a server certificate.

The malware’s range of functions includes a keylogger, components for encrypting and decrypting files and an option for generating individual ransom demands. In addition, a function for distributed denial of service attacks can be retrofitted to disrupt normal data traffic to a targeted server.

However, the researchers also discovered various “fun functions” that ultimately helped the Trojan get its name. For example, the hijackers are able to remotely switch a monitor of a compromised system on and off, open and close the tray of an optical drive or hide the mouse pointer.

Less “fun” are functions that allow those behind the scenes to monitor a system remotely. Among other things, you can record audio and, if available, control a webcam, intercept keystrokes, take screenshots and manipulate system settings.

However, Borat RAT also collects data about the operating system and reads browser information such as cookies, history, and bookmarks. This data is transmitted to a command server. Chromium-based browsers such as Chrome and Edge are also affected.