Detect Borat Remote Access Malware

A new tricky remote access tool dubbed Borat RAT was found by cybersecurity researchers. Just like the name suggests, it is a crazy mix of things that is hard to wrap your head around. Borat Trojan is a collection of malware modules coming with a builder and server certificate which includes more than 10 malicious functions.

If Borat enters the system, it is capable of gaining control over the mouse and keyboard, files, and network resources, capable of video and audio recording, credential theft, DDoS, ransomware, keylogging, and much more. To boot, Borat RAT obfuscates data to make its presence unnoticeable. Learn more about the solutions that we propose for detecting the above mentioned malware.

Borat Remote Access Malware Detection

You can detect Borat (RAT) generators by deploying the newest rule created by our Threat Bounty developer Furkan Celik.

Borat Remote Access Trojan Detection Enabling Ransomware Attacks(via file_event)

This rule is translated into the following SIEM, EDR & XDR formats: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, Devo, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control tactic and Ingress Tool Transfer (T1105) technique.

As you know, adversaries don’t stop after they have developed a certain piece of malware and even when they are successfully selling it on a dark web market. Instead, they keep renewing and polishing their creations on the go. To avoid the situation when you are missing out on the latest Borat RAT updates, view the list of all detections available for this cyber-attack to date. You can refine your search criteria to match the specific needs in the Advanced Search section. 

Also, if you are a threat hunter or a detection engineer, there is a chance to gain recognition and monetary benefits by signing up for our crowdsourcing initiative. Make your own custom detections, submit them to the platform, and help to increase global cyber resilience.

View Detections Join Threat Bounty

Borat RAT Analysis

As we mentioned above, there is a multitude of Borat’s features which researchers divided into a few main categories:

• Remote hVNC — hidden desktop and browsers
• Remote Fun — monitor on/off, show/hide taskbar, clock, tray, mouse, etc., enable/disable Task Manager, disable UAC, and more
• Remote System — remote shell, reverse proxy, registry editor, file manager, TCP connection, and more
• Stub Features — change of client name, disable defender, change registry name, anti-kill, enable key logger, and more
• Password Recovery — Chrome and Edge
• RAT + HVNC — HVNC features plus remote download & execution

For easy navigation across such broad functionality, attackers have created a special dashboard where a malicious user can pick their current objectives and if needed, compile a binary for DDoS and ransomware.

Borat RAT is potentially highly dangerous malware because it is a unique mix of RAT, ransomware, a DDoS tool, and a spyware all-in-one pack. By installing only one Trojan, adversaries are able to launch a whole range of attacks. They can choose whether they want to hijack the device controls, steal information, alter system settings, or delete files. SOC Prime’s Detection as Code platform offers a collaborative cyber defense approach, uniting the world’s most prominent cybersecurity specialists for creating and sharing timely detection items so that organizations can always be a few steps ahead of emerging threats.