Cyble-Borat-RAT-Analysis

Deep Dive Analysis – Borat RAT

Remote Access Trojan Capable of Conducting Ransomware & DDOS Activities

A Remote Access Trojan or RAT is a tool used by Threat Actors (TAs) to gain full access and remote control on a user’s system, including mouse and keyboard control, files access, and network resources access.

During our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities.

The developer named this RAT ‘Borat’ after a black comedy mockumentary film, and the photo used in the RAT is of actor Sacha Baron Cohen, who played the main role in the film Borat. The features claimed by the Borat RAT author are given in Figures 1 & 2 below.

Figure 1: List of Features provided by the Borat RAT
Figure 2: Additional Features provided by Borat RAT

The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim’s machine, as shown in Figure 3.

Figure 3: Borat RAT Dashboard

Technical Analysis

In this analysis, we will take a look at Borat RAT and its features in detail. The Borat RAT comes as a package which includes builder binary, supporting modules, server certificate, etc., as shown in Figure 4.

Figure 4: Borat Package

The figure below shows the supporting modules responsible for executing the RAT features, as shown in Figure 5.

Figure 5: DLLs used to execute Features

Keylogger

The module “keylogger.exe” is responsible for monitoring and storing the keystrokes in the victim’s machine. The below image shows the keyboard-related APIs used by the RAT for keylogging purposes. The captured keystrokes are saved in a file called “Sa8XOfH1BudXLog.txt” for exfiltration.

Figure 6: Keyboard APIs

Ransomware

Interestingly, the RAT has an option to deliver a ransomware payload to the victim’s machine for encrypting users’ files as well as for demanding a ransom. Like other ransomware, this RAT also has the capability to create a ransom note on the victim’s machine.

Figure 7: Code to generate Ransom Note

The RAT has the code to decrypt files in the victim’s machine once the ransom is paid – as shown below.

Figure 8: Decryption Method

DDOS

This RAT can also disrupt the normal traffic of a targeted server by performing a DDOS attack. The below figure shows the code used by RAT for the DDOS attack.

Figure 9: Code for DDoS Attack

Audio Recording

Borat RAT can record the audio of a computer. Initially, it checks if a microphone is present in the victim’s machine. If it can find a connected microphone, the RAT records all audio and saves it in a file named micaudio.wav.

Figure 10: Code for Mic Recording

Webcam Recording

Borat RAT can capture videos through any webcam present in the victim’s machine. First, it identifies if a webcam is present in the victim’s machine, and then it starts recording the video if a webcam is available.  

Figure 11: Webcam Recording

Remote Desktop

This malware takes the remote desktop of the infected machine. It then gives the Threat Actor (TA) the necessary rights to perform activities such as controlling the victim’s machine, mouse, keyboard, and capturing the screen. Controlling the victim’s machine can allow TAs to perform several activities such as deleting critical files, executing ransomware in the compromised machine, etc. The below figure shows the functions used by the RAT for performing Remote Desktop activities.

Figure 12: Functions used for performing Remote Desktop Activities

Reverse Proxy

The RAT has code to enable reverse proxy for performing RAT activities anonymously. The TAs can hide their identity using this option while communicating with the compromised servers.

Figure 13: Reverse Proxy Code

Device Information

The RAT collects information from the victim’s machine, including OS Name, OS Version, System Model, etc. The below figure shows the command used for collecting the information.

Figure 14: Command used for Capturing Device Info

Process hollowing

Using the RAT, the TAs can inject malicious code into the legitimate processes using the process hollowing technique. The below figure shows the APIs used by the RAT for process hollowing.

Figure 15: Process Hollowing

Browser Credential Stealing

Borat RAT can steal cookies, history, bookmarks, saved login credentials from chromium-based browsers like Google Chrome, Edge, etc. The below figure shows the functions used by the RAT for stealing browser credentials.

Figure 16: Functions used for Stealing Browser Credentials

Discord token Stealing:

 The RAT also steals Discord tokens and sends the stolen token information to the attacker.

Remote Activities:

The RAT performs the following activities to disturb the victims: Play Audio, Swap Mouse Buttons, Show/hide the Desktop, Show/hide the taskbar, Hold Mouse, Enable/Disable webcam light, Hang System, Monitor Off, Blank screen, etc.   

Conclusion  

The Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it. With the capability to record audio and control the webcam and conduct traditional info stealing behavior, Borat is clearly a threat to keep an eye on. The added functionality to carry out DDOS attacks makes this an even more dangerous threat that organizations and individuals need to look out for. The Cyble Research Team is closely monitoring the RAT’s actions and will keep informing our clients and people worldwide.

Our Recommendations  

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  

  • ​Don’t keep important files in common locations such as the Desktop, My Documents, etc. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.   
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.      
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity.  
  • Conduct regular backup practices and keep those backups offline or in a separate network.  

MITRE ATT&CK® Techniques 

​Tactic ​Technique ID ​Technique Name 
​Execution T1204 ​User Execution 
Discovery  T1518Security Software Discovery
T1087Account Discovery
T1083File and Directory Discovery
CollectionT1123Audio Capture
T1005Data from Local System
T1056 .001Keylogging
T1113Screen Capture
T1125Video Capture
Command and ControlT1132Data Encoding
T1219Remote Access Software
ExfiltrationT1020Automated Exfiltration
ImpactT1485Data Destruction
T1486Data Encrypted for Impact
T1565Data Manipulation
T1499Endpoint Denial of Service

Indicators Of Compromise (IoCs)

​Indicators​Indicator typeDescription
d3559d9f1ca15f1706af9654fd2f4cccMD5Borat.zip
fb120d80a8c3e8891e22f20110c8f0aa59d1b036SHA1
d2ce3aa530ba6b6680759b79aa691260244ca91f5031aa9670248924cc983fb0SHA256
ddab2fe165c9c02281780f38f04a614eMD5BoratRAT.exe
2a5ad37e94037a4fc39ce7ba2d66ed8a424383e4SHA1
b47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20eSHA256
3e645ccca1c44a00210924a3b0780955MD5BoratRat.exe.config
5d8e8115489ac505c1d10fdd64e494e512dba793SHA1
f29e697efd7c5ecb928c0310ea832325bf6518786c8e1585e1b85cdc8701602fSHA256
f41bfa672cca0ec7a2b30ecebf7eac7eMD5ServerCertificate.p12
d24d4fbd79967df196e77d127744659bbb2288d6SHA1
8c300944ae62e17ab05ad408c5fb5473ebccac514c8ddc17c47bc9fda451c91bSHA256
9726d7fe49c8ba43845ad8e5e2802bb8MD5Audio.dll
8bcdf790826a2ac7adfc1e8b214e8de43e086b97SHA1
df31a70ceb0c481646eeaf94189242200fafd3df92f8b3ec97c0d0670f0e2259SHA256
7ee673594bbb20f65448aab05f1361d0MD5Discord.dll
2a29736882439ef4c9088913e7905c0408cb2443SHA1
8fa7634b7dca1a451cf8940429be6ad2440821ed04d5d70b6e727e5968e0b5f6SHA256
62c231bafa469ab04f090fcb4475d360MD5Extra.dll
82dda56bc59ac7db05eddbe4bcf0fe9323e32073SHA1
6a4f32b0228092ce68e8448c6f4b74b4c654f40fb2d462c1d6bbd4b4ef09053dSHA256
4ccd3dfb14ffdddfa598d1096f0190eaMD5FileManager.dll
c68c30355599461aca7205a7cbdb3bb1830d59c8SHA1
7f8a306826fcb0ee985a2b6d874c805f7f9b2062a1123ea4bb7f1eba90fc1b81SHA256
0b7c33c5739903ba4f4b78c446773528MD5FileSearcher.dll
b58555bebddf8e695880014d34a863a647da547eSHA1
2d9625f41793f62bfe32c10b2d5e05668e321bcaf8b73414b3c31ef677b9bff4   SHA256
499fc6ac30b3b342833c79523be4a60cMD5Fun.dll
dcf1ed3fbc56d63b42c88ede88f9cad1d509e7ecSHA1
dcac599b1bab37e1a388ac469e6cc5de1f35eb02beaa6778f07a1c090ce3ea04SHA256
87651b12453131dafd3e91f60d8aef5aMD5Information.dll
d5db880256bffa098718894edf684ea0dc4c335dSHA1
a15d72d990686d06d89d7e11df2b16bcd5719a40298c19d046fa22c40d56af44SHA256
0cd62cd02962be20ed92abcd0c9e9a25MD5ip2region.db
69fbadc8a4461413c30cd0579d89f8668187e5a2SHA1
5c124a7e35025d3e94df6b17dca5332e9a5aaabdca2355c113f3c93b572281b7SHA256
a45679bdcf30f068032bd37a194fa175MD5Keylogger.exe
f23fd98f28bb0b482f0aae028172e11536e4688cSHA1
16beb1ae2de2974ccc2371d9f619f492295e590abb65d3102e362c8ec27f2bbbSHA256
872145b37d107144894c9aa8729bad42MD5Logger.dll
01610587bcfa7ac379b1f0169a2a9ab384b9116bSHA1
2f258949fd95da6cd912beb7203a9fd5e99d050309a40341de67537edb75aadcSHA256
590b00c87d5ff2ffe09079f0406eb2cdMD5MessagePackLib.dll
92c91f1db8c2c8cc34c2e1a26f4f970f1518a7edSHA1
adb00dee751b4ba620d3b0e002f5b6d8b89cf63b062f74ec65bba72294d553d1SHA256
509d41da4a688a2e50fc8e3afca074c7MD5Miscellaneous.dll
228de17938071733585842c59ffb99177831b558SHA1
f91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580aSHA256
509d41da4a688a2e50fc8e3afca074c7MD5Miscellaneous.dll
228de17938071733585842c59ffb99177831b558SHA1
f91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580aSHA256
12911f5654d6346fe99ef91e90849c13MD5Netstat.dll
1b8e63d03feb84d995c02dcbb74da7edfaa8c763SHA1
7eed1b90946a6db1fe978d177a80542b5db0bf3156c979dc8a8869a94811bf4bSHA256
3a474b8dee059562b31887197d94f382MD5Options.dll
b31455f9583b89cac9f655c136801673fb7b4b9aSHA1
c9b8e795c5a024f9e3c85ba64534b9bf52cc8c3d29b95ff6417dc3a54bc68b95SHA256
91edcb945924df5fbf4ff123aa63199cMD5ProcessManager.dll
d124869aaee9aa1a49def714774b834335aa746eSHA1
5b1f80ff787bdcd7ee12aa64be1f2f5f1f658bd644bbc5fd73527b51da6ce0d6SHA256
ef998529d037fcdb2bde6d046f99db45MD5Ransomware.dll
1a38a1182155429ecc64c20ece46ec0836c32ec7SHA1
54f554b9e330476b3903756f62b577bab35cdef941d3d0f6a3d607862762bf91SHA256
ea1ff113b847312d57fa8621f71f460fMD5Recovery.dll
535a4e525da7e98f4f4f69abc923a1065bd2d3faSHA1
58f9e3c90446dfecfec64221eb11167dd41d0e8dedda2ea9f83d9dda2890e6f3SHA256
8749c78b8ad09a3b240dd1384a17539bMD5Regedit.dll
b9263ac725ccd8c664ae0f9da5fc0d00adcb8c5eSHA1
657e3f1f449c0b710b0c571ec8eee689ae16793fb63b996e0182420d768f89bdSHA256
acbf0f8b09320f3e967ee83fcda26f5dMD5RemoteCamera.dll
bbee0fa1c88edcd0469974223fb026e1176256dcSHA1
203300be75ad8f57972324519b2583a44e759cdd57390d6765df10288e249789SHA256
0f93650dd78557f41b7c5467e3b6b6a7MD5RemoteDesktop.dll
382bd4496eb7439fde85832abca87cc21cb7872fSHA1
cc5b49d2a2821d4f6ef6af8a1e50994c6690d6a4daa41bd048fe79bd8b578988SHA256
e89a0b897f93d7d5cb433b3fd01764c9MD5ReverseProxy.dll
9e72e85d13fe70c2518041e30d202f04b14324b6SHA1
d8a115310142f2e874dc7ea2a393fada679838bddb87f4cfd9aaef631641cb72SHA256
7f3a6c23c979f840d98b8b04a583cde9MD5SendFile.dll
941c50a425479c5f025fbb152a1a0754ac03c252SHA1
0da1bd8e67d6f499cc3b296fc278103497f7ca2f692fe76e3c0413b0e14df777SHA256
d405b02cb6c624a7df4ebecefc5d23a9MD5SendMemory.dll
0272d8cc3456a9bdfff7431f9ce238c93511cacdSHA1
e06a66122af82580a883ce21609f89628e5dd648726307693d398c0661a1e5c1SHA256
Scroll to Top