Malware researchers from Cyble published a technical analysis of a malware threat advertised as “Borat RAT,” which is available to many threat groups. The analysis revealed an extensive set of features in the malware, including the ability to launch ransomware, Distributed Denial-of-Service (DDoS) attacks, run hidden web browsers, steal files, activate the webcam and/or microphone of an infected computer to spy on people near the device, steal passwords stored in web browsers, capture keystrokes with a keylogger, and steal access tokens to take over Discord accounts.
The malware is written using the Microsoft .Net Framework, and is compiled as individual modules in DLL files that extend the base functionality in an EXE file. According to Cyble researchers, the keylogger captured keystrokes are saved in a file named “Sa8XOfH1BudXLog.txt” – Defenders could use file creation or modification events with that file name as a detection query.
The ransomware functionality is implemented in a file named “Ransomware.dll” and includes both the functionality to encrypt as well as decrypt files. Presumably the threat actor would negotiate with the victim for an extortion payment, and then use their existing remote control from Borat RAT to activate the decryption function.
If the microphone spying functionality is enabled, Borat RAT saves audio files to “micaudio.wav” on the victim computer.
To obtain computer system information, Borat RAT runs a series of commands through the command shell.