MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 259: UNDERSTANDING THE RISK OF BORAT REMOTE ACCESS TROJAN (RAT) MALWARE

Reference Number ACG-CSB 072022259

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

   A new Remote Access Trojan (RAT) might have an amusing name to some, but its capabilities show the malware to be no laughing matter. The new RAT named Borat has appeared on dark net markets. It offers easy-to-use features to conduct DDoS attacks, User Account Control (UAC) bypass, and ransomware deployment.

   This remote access trojan is no laughing matter, it poses a serious threat to targeted organizations & individuals. The malware operators can choose the compilation options, creating small payloads that feature precisely what they need for highly tailored attacks. Borat is a RAT that enables remote threat actors to take complete control of the victim’s mouse and keyboard, access files and network points steal login credentials from browsers, network resources access, and hide any signs of their presence.

   Borat comes in the form of a package that includes a builder, the malware’s modules, and a certificate, allowing threat actors to customize the malware to launch sophisticated attacks. Unlike other RATS, Borat provides ransomware encryption and decryption component as well as the option for users to generate their own ransom notes and an optionally Distributed Denial-of Service (DDoS) feature for disrupting the normal traffic of a targeted server.

   Cybercriminals can deploy ransomware payloads & leave behind custom ransom notes on their victim’s machines. Once a machine is compromised, Borat can be further leveraged to direct traffic to other targeted servers using the compromised machine’s resources. It can disturb victims by performing the following activities such as play audio, show/hide the desktop, show/hide the taskbar, hold mouse, enable webcam light, turn off monitor, hang system, etc.

   Threat actors will usually distribute RATs such as Borat via laced executables or files that masquerade as cracks for games & applications. So, users should be careful not to download executables from untrustworthy sources such as torrents or shady sites. Said malware can record audio using the connected microphone, capture videos using a webcam present in the computer, control a computer including mouse and keyboard, capture the screen, collect information about the computer. Also, it can enable reverse proxy allowing cybercriminals to perform their activities anonymously, inject malicious code into legitimate processes.

   Borat is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it. With the capability to record audio and control the webcam and conduct traditional information stealing behavior, it is clearly a threat to keep an eye on and with added functionality to carry out DDoS attacks makes this an even more dangerous threat that organizations and individuals need to look out for. The unknowingly users are more likely to be baited into executing the RAT through social engineering after the malware is delivered through phishing.

   Despite Borat comical name, the versatility of this RAT makes it a dangerous threat that both private individuals and companies should be wary of. The impact of Borat obtaining entry to a system either an individual or an organization could be catastrophic, and proper security practices should be observed to help mitigate threats such as this.

RECOMMENDATION

            All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of Borat Remote Access Trojan attack:

  • Keep the browser and plug-ins updated;
  • Do not open attachments and links in irrelevant emails sent from unknown, suspicious addresses.;
  • Regularly run system scans;
  • Use reliable antivirus software installed on a computer;
  • Enable network-level authentication;
  • Never click on pop-ups;
  • Do not click links (URLs) in emails unless you know exactly who sent it;
  • Turn on the automatic software update feature on all connected devices; and
  • Use two-factor authentication.

For additional information, please refer to the following websites:

  • https://www.threatadvice.com/blog/new-borat-remote-access-malware-is-no-laughing-matter
  • https://www.spiceworks.com/it-security/threat-reports/news/borat-rat-malware-discovered/
  • https://threatpost.com/borat-rat-ransomware-ddos/179233/

POINT OF CONTACT

Please contact PMAJ JUN-JUN S DAGURO, Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 8723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.