Skip Navigation
BlackBerry ThreatVector Blog

BlackBerry Prevents BoratRAT

CYBERSECURITY / 06.02.22 / Hector Diaz

BoratRAT is a malware toolkit with many facets – capable of credential theft, creating ransomware, and direct denial of service (DDoS) attacks. While named after a certain comedic character, this destructive crypto-viral kit is no laughing matter. 

The Borat remote access trojan (RAT) targets device accessibility and easily defeats data security, leaving the threat actor with near total control of the victim’s device. First spotted by Cyble researchers in March 2022, the malware can manipulate file systems and peripheral devices such as cameras and monitors, as well as record via audio and webcam. Password credential theft is also well within its malicious capacity. BoratRAT’s primary intention is to hold a victim’s device and data hostage until a financial ransom is paid. If the ransom is not paid, data and access usage stolen from the device may be eliminated or publicly revealed on a “leak site.”

With many similarities to the earlier SantaRAT threat, BoratRAT has greater versatility. Its multifarious capabilities make it a potential threat to organizations and individuals, with potentially severe consequences if BoratRAT gains access to any endpoint connected to a corporate network.

Discover how BlackBerry prevents BoratRAT attacks in our demo video showing BlackBerry® products versus a live sample of BoratRAT.  

DEMO VIDEO: BlackBerry vs. BoratRAT

Learn more about BoratRAT in our deep dive blog: Threat Thursday: BoratRAT

Figure 1 – CylanceOPTICS ® detects BoratRAT running in a system’s memory, to immediately expose and remediate the threat
 
Figure 2 – CylancePROTECT® blocks the BoratRAT server in real time with AI-powered processing, preemptively preventing the threat before it can execute
 

BlackBerry Protection Against This Attack

CylancePROTECT® provides automated malware prevention, application and script control, memory protection, and device policy enforcement. CylanceOPTICS®  extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  

Prevention First Philosophy

At BlackBerry, we take a  prevention-first  and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure. 

BlackBerry Assistance

Regardless of your existing BlackBerry relationship, the  BlackBerry Incident Response team  can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. 

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Video Transcription

Today, we will see how easy it is to take control of a victim’s system using BoratRAT, an all-in-one malware toolkit that is capable of a variety of destructive activities, including acting as ransomware and performing credential theft. 

On the left we have a BoratRAT server listening to multiple ports waiting for a victim to fall into our trap. On the right, we have a system with CylanceOPTICS® in Audit-Only mode to allow this malware to run.

Let’s assume the client got here through a traditional infection vector. On execution, from a victim’s perspective, we can’t see any noticeable effect. But, on the left, we see how the endpoint reports back to BoratRAT, making an enumeration of the system, identifying the OS version, AV product, and enabling the attacker to conduct malicious activities including surveillance, malware deployment, system control, and more. 

If we conduct a root cause analysis with CylanceOPTICS, we see how this file runs in memory. From there it establishes a connection with its command and control (C2), and enumerates the operating system, AV products and more. As usual, CylancePROTECT® provides protection from these types of threats, years before they are created.

In this instance, we have a Cylance® engine from October 2015, no Internet connectivity, and the same client we created from BoratRAT. If we try to copy and execute this file on our Cylance protected system, it is prevented in milliseconds.

Prevention is possible, with BlackBerry®.

Hector Diaz

About Hector Diaz

 Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.