Triple-threat Borat malware no joke for victims

A newly discovered malware that combines remote access trojan (RAT), spyware and ransomware functionality is being described as a serious triple-threat to organisations, and unlike its namesake, it should be taken seriously.

The so-called Borat malware was picked up by researchers at Cyble Research Labs, and is apparently being circulated among malicious actors on dark web forums.

Borat essentially serves as a dashboard, enabling its users to compile malware binaries to perform a variety of different functions on compromised systems.

Its functionality includes keylogging; ransomware payload delivery; conducting distributed denial of service (DDoS) attacks; audio and webcam recording; enabling remote desktop access for its operator; enabling reverse proxy to perform further RAT activities anonymously; collecting information on the victim device; process hollowing, a technique used by threat actors to inject malicious code into a legitimate process; browser credential stealing; and Discord token theft.

It also performs a number of actions that appear to be designed to frustrate and irritate its victims, such as playing unwanted audio, swapping the mouse buttons around, showing or hiding the desktop and taskbars, and so on.

“The Borat RAT is a potent and unique combination of RAT, spyware and ransomware, making it a triple-threat to any machine compromised by it,” said Cyble’s research team.

“With the capability to record audio and control the webcam and conduct traditional info-stealing behaviour, Borat is clearly a threat to keep an eye on. The added functionality to carry out DDoS attacks makes this an even more dangerous threat that organisations and individuals need to look out for. The Cyble Research Team is closely monitoring the RAT’s actions and will keep informing our clients and people worldwide.”

Like most forms of malware, Borat can be easily thwarted by paying attention to standard cyber security best practice, such as keeping software and systems updated, backing up critical data, and reinforcing credential hygiene and phishing awareness.

More information on Borat, including screengrabs, MITRE ATT&CK techniques and indicators of compromise, is available from Cyble.

Chris Olson, CEO of digital safety platform The Media Trust, said Borat exposed the key role that dark web markets play in modern-day cyber crime. “They are one of many reasons we are seeing a rise in Web and Java-based malware with sophisticated features like polymorphic and obfuscated code, rapid URL shifting, and more,” he said.

“It takes little expertise for attackers to target consumers and organisations through digital surfaces – only the money and inclination to acquire the right code from malicious actors who design it for a living.”

Robert Shaughnessy, vice-president of federal market operations at US-based cyber consultancy Grimm, said: “Although the individual elements of Borat do not seem particularly novel, the availability of a pre-packaged suite of malicious tools with integrated management and control capabilities is an emerging trend.

“The past few months have seen an acceleration in widespread reels of malware tools and techniques globally,” he said. “We are likely to see more pre-packaged malware sets like Borat in the near future, as more and more individuals and organisations take advantage of the wealth of malicious software now available for profit.”