Borat RAT: New RAT with Ransomware Capability

Description

FortiGuard Labs is aware of a report that a new Remote Access Trojan (RAT) called "Borat" is sold in underground forums. The RAT provides not only typical RAT capabilities such as keylogging, audio and webcam recording, and browser credential stealing to cybercriminals, but also offers file encryption and decryption capability as well as creating a ransom note on the victim's machine.

Why is this Significant?

This is significant because Borat RAT not only enables cybercriminals to perform typical RAT activities but also provides ransomware capabilities as well.

What Functionalities Does Borat RAT Provide?

Borat RAT allows an attacker to perform the following activities:

• Keylogging
• Ransomware activities such as encrypting and decrypting files as well as creating a ransom note on the victim's machine
• Distributed Denial of Service (DDoS)
• Audio and webcam recording
• Remote desktop
• Reverse proxy
• Steals device info
• Process hollowing
• Credential stealing
• Discord token stealing
• Play audio
• Swap mouse buttons
• Hold mouse
• Show and hide the Desktop and the taskbar
• Enable and disable webcam light
• Hang system
• Turn off the monitor
• Display blank screen

What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage for Borat RAT:

MSIL/Agent.CFQ!tr

MSIL/Keylogger.DUS!tr

Malicious_Behavior.SB

Appendix

Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities (Cyble)