Malware researchers from Cyble published a technical analysis of a malware threat advertised as “Borat RAT,” which is available to many threat groups. The analysis revealed an extensive set of features in the malware, including the ability to launch ransomware, Distributed Denial-of-Service (DDoS) attacks, run hidden web browsers, steal files, activate the webcam and/or microphone of an infected computer to spy on people near the device, steal passwords stored in web browsers, capture keystrokes with a keylogger, and steal access tokens to take over Discord accounts.
The malware is written using the Microsoft .Net Framework, and is compiled as individual modules in DLL files that extend the base functionality in an EXE file. According to Cyble researchers, the keylogger captured keystrokes are saved in a file named “Sa8XOfH1BudXLog.txt” – Defenders could use file creation or modification events with that file name as a detection query.
The ransomware functionality is implemented in a file named “Ransomware.dll” and includes both the functionality to encrypt as well as decrypt files. Presumably the threat actor would negotiate with the victim for an extortion payment, and then use their existing remote control from Borat RAT to activate the decryption function.
If the microphone spying functionality is enabled, Borat RAT saves audio files to “micaudio.wav” on the victim computer.
To obtain computer system information, Borat RAT runs a series of commands through the command shell.
Analyst Notes
Defenders can benefit from malware analysis reports by developing custom threat detection rules for the patterns of behavior exhibited by the malware. In this case, looking for any of the following filenames to appear on an endpoint:
• Sa8XOfH1BudXLog.txt
• micaudio.wav
• Ransomware.dll
Another useful behavioral pattern to watch for is a series of computer profiling commands (especially when run from an unusual parent process). The list of commands that Borat RAT runs includes the following:
• systeminfo
• ver
• hostname
• set
• wmic logicaldisk get caption,description,providername
• net user
• net user administrator
• wmic startup get caption,command
• tasklist /svc
• ipconfig /all
• netstat -ano
• sc query type= service state = all
• netsh firewall show state & netsh firewall show config
Although none of these commands is malicious on its own, and they may be commonly used by administrative scripts in an enterprise environment, when many or all of these are run in a short period of time from the same endpoint, that may be unusual enough to trigger an investigation.
