Rewterz Threat Alert – Borat RAT – Active IOCs

Severity

High

Analysis Summary

Borat RAT (Remote Access Trojan) is new RAT that is able to provide both ransomware and DDoS services along with the usual RAT capabilities, making it a deadly threat. The author claims that Borat is capable of delivering the following features:

and additional feature set including:

Borat RAT is also equipped with an easy-to-use dashboard that has an action to perform DDoS and Ransomware attacks on the victim’s system. A keylogger stores the key strokes on the victim’s machine with the module “keylogger.exe.” The RAT can also record audio, webcam footage, and remote desktop activities. It can also reverse proxy, collect device information, and credential stealing.

Impact

• Credential Theft
• Information Theft and Cyber Espionage
• Data Encryption
• Server Outage

Indicators of Compromise

Filename

• BoratRAT[.]exe

MD5

• ddab2fe165c9c02281780f38f04a614e

SHA-256

• b47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20e

SHA-1

• 2a5ad37e94037a4fc39ce7ba2d66ed8a424383e4

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets