Borat RAT: Funny Name, Serious Threat

It may be named after a popular, irreverent mockumentary, but the new Borat remote access trojan (RAT), a malware strain recently spotted in the wild, is a serious threat to organizations.

The versatile Borat, now available on the darknet, not only deploys ransomware but features DDoS attacks and UAC bypass as well, “further expanding the malware capabilities,” according to the Cyble researchers that discovered the RAT.

It also broadens the number of threat actors that can launch attacks, appealing in some cases to the lowest common denominator. “Malware operators often don’t know the best way to monetize their victims until they have been in an environment awhile, so malware authors are increasingly developing feature sets and capabilities that allow flexibility on the part of the attacker,” said John Bambenek, principal threat hunter at Netenrich. “However, the history of these tools is that they tend to be used by less sophisticated criminals (or those pretending to be less sophisticated) who may find it difficult to succeed at ransomware-at-scale.”

Borat allows attackers to “gain full access and remote control on a user’s system, including mouse and keyboard control, files access and network resources access,” the researchers wrote. It “provides a dashboard to threat actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim’s machine.”

The Borat RAT is “a potent and unique combination of remote access Trojan, spyware and ransomware, making it a triple threat to any machine compromised by it,” Cyble researchers said, adding that the ability to record audio and control the webcam and conduct traditional info stealing behavior makes Borat worth watching. “The added functionality to carry out DDOS attacks makes this an even more dangerous threat that organizations and individuals need to look out for.”

Those who may have discounted the perils of DDoS attacks may want to rethink their position. “Ransomware and DDoS attacks are a constant threat for organizations and security bugs and flaws within software can be exploited to amplify these attacks,” said Jack Mannino, CEO at nVisium. “As these attacks are highly effective and can often be launched at a relatively low cost, DDoS threats will continue to be a persistent, real risk for today’s digital organizations.”

Security pros agree. “RATs and other Trojans can be especially insidious as they can enable a broad range of attacks, including keyloggers, which can be used for credential compromise,” noted Rajiv Pimplasker, CEO of Dispersive Holdings, Inc.

“Once again we see a variation of an existing attack put together as a new toolkit that uses various tactics and techniques to get their malware or ransomware to evade existing security controls. It also shows that misusing privileged access controls is an emerging trend where identity monitoring and analytics is critical for emerging and modern security operations teams to combat compromised credentials and abuse of identity,” said Saryu Nayyar, CEO and founder of Gurucul.

“Borat, in particular, is built-to-order and sold through an organized campaign which exposes the role that darknet markets play in cybercrime today,” said Chris Olson, CEO of The Media Trust.

Those Trojans “are one of many reasons we are seeing a rise in web and Java-based malware with sophisticated features like polymorphic and obfuscated code, rapid URL shifting and more,” Olson said. “It takes little expertise for attackers to target consumers and organizations through digital surfaces—only the money and inclination to acquire the right code from malicious actors who design it for a living.”

Underscoring that most cyberattacks aren’t sophisticated and rely on common techniques to gain access and deploy ransomware or steal data, Delinea Chief Security Scientist Joseph Carson said, “Weak credentials are one of the most common causes that make it easy for attackers to gain an initial foothold.”

To reduce the risks of becoming the next victim, organizations “must double down on the basics and make weak credentials a thing of the past,” he said. “Strong password management, privileged access security and multifactor authentication (MFA) will make it difficult for an attacker to be successful at gaining the initial foothold. This will likely force them to look for an easier target elsewhere.”

Additionally, organizations should “prepare to respond with a solid incident response plan,” Carson said. “Resiliency is vital to an organization’s ability to recover and get back to business quickly.”

As organizations up the difficulty for attackers, he said, bad actors will take more risks. Creating “more noise on the network, giving the defenders a better chance at detecting them.”

Image courtesy of: Michael Bulcik and Jarjar Zanaq (cc:by) https://commons.wikimedia.org/wiki/File:Borat.portrait.png

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson