New Borat RAT Malware Toolkit is No Joke, More Dangerous Than Originally Thought
Sacha Baron Cohen's quirky mustached Borat character can be a hoot. The multi-purpose malware toolkit named after the character, however, is certainly nothing to joke about.
Security researchers have uncovered a new strain of malware that is called the Borat RAT. RAT stands for 'remote access trojan', but trojan capabilities are just a small part of the toolkit's features.
Versatile and dangerous
Borat RAT is a malware tool sold on the dark web, through posts on underground hacking message boards and forums. The malware is also a new arrival on the scene and researchers believe it is still being developed and expanded thus more dangerous than originally thought.
That's not to say that Borat RAT doesn't have a scary array of features already built into it. In addition to spying and trojan-like capabilities, the malware features a ransomware module that can encrypt and decrypt files and even offers the ability to customize ransom notes for each buyer.
The malicious tool can also spy on victims using a variety of methods. From recording microphone audio to grabbing screenshots or snapping images using a webcam found on the device, Borat RAT has an impressive feature set. The malware can also log keystrokes and includes a distributed denial of service (DDoS) module.
In addition to capturing keystrokes, the malware can also collect and exfiltrate browser data, ranging from cookies and history to login details.
Surprising joke features
It seems the authors of Borat RAT were trying to sell their product to every budding hacker out there, from those who know what they are doing to those who are in it for mischief more than serious profit. The malware kit includes some really strange and playful features, such as the ability to switch off the victim computer's monitor, swap the function of the left and right buttons of a connected mouse or play audio in what looks like an effort to prank the victim.
The team at Cyble Research Labs who analyzed the payload of Borat RAT noted that the malware uses the technique of process hollowing to avoid detection by antivirus software. Process hollowing is an approach used by threat actors that compromises a regular and legitimate process running on the host system, then allows the hackers to execute malicious code inside the memory array used by the hijacked process.
With the malware still not widely adopted or used in active campaigns, it's a little difficult to predict how much of a threat it will become, but researchers are warning that the Borat RAT should not be taken lightly. With development still in its active phase and with the malware now being actively distributed, Borat RAT is one to look out for.