The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PolySwarm Tech Team

Find me on:

Recent Posts

Industroyer2 Targets Ukrainian Energy Company

Apr 15, 2022 1:06:29 PM / by PolySwarm Tech Team posted in Ukraine, Russia, Threat Bulletin, Wiper, Critical Infrastructure, Industroyer2, Sandworm, Voodoobear

0 Comments



Background

ESET recently reported on Industroyer2, a multi-component ICS malware used to target a Ukrainian energy company.

Read More

Borat RAT - A Triple Threat

Apr 8, 2022 1:25:51 PM / by PolySwarm Tech Team posted in Threat Bulletin, DDoS, Ransomware, Backdoor, BoratRAT

0 Comments



Background

Cyble recently published research on Borat RAT, a triple threat capable of providing backdoor access, facilitating spyware capabilities, and conducting DDoS and ransomware attacks. This emerging threat can be used to perform double and triple extortion attacks, where threat actors demand ransom and also threaten victims with the sale or leak of stolen data and DDoS attacks.


What is Borat RAT?

Borat RAT is a remote access trojan with extended capabilities allowing threat actors to spy on victims and conduct DDoS attacks and ransomware attacks. It is being sold on the underground and is advertised to have multiple features, allowing threat actors to tailor their attacks to a particular victim.


According to Cyble, Borat RAT comes as a package including a builder binary, supporting modules, and a server certificate. Threat actors have the option to compile the binary to perform DDoS and ransomware attacks.

Borat RAT has a number of features allowing threat actors to spy on and troll victims and to evade detection and maintain persistence. Its spyware features allow threat actors to recover saved Chrome and Edge browser passwords and Discord passwords. Other spyware features include keylogging, audio recording, and webcam recording.

Borat RAT has remote hVNC capabilities, such as hidden desktop and hidden browsers. It is advertised as having “remote fun” options allowing threat actors to troll or intimidate victims by turning peripherals on and off, enabling and disabling TaskMgr and Regedit, and showing or hiding the Start button. Borat RAT’s remote system options allow the threat actor to use remote shell, TCP,  reverse proxy, etc. Borat RAT also includes features allowing a threat actor to evade detection and maintain persistence.

IOCs

PolySwarm has a sample of Borat RAT.

b47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20e


You can use the following CLI command to search for all Borat RAT samples in our portal:

Read More

AcidRain Wiper

Apr 7, 2022 3:31:14 PM / by PolySwarm Tech Team posted in Threat Bulletin, Wiper, AcidRain, Viasat

0 Comments



Background

Sentinel One recently published research on AcidRain, a wiper malware used in an attack on Viasat KA-SAT in Ukraine.

What is AcidRain Wiper?

Read More

Serpent Backdoor

Apr 1, 2022 1:19:34 PM / by PolySwarm Tech Team posted in Threat Bulletin, Serpent, Chocolatey, Backdoor, Python

0 Comments


Background


Proofpoint recently published research on Serpent, a newly discovered backdoor malware. Proofpoint observed the malware targeting the construction, real estate, and government verticals in France.

Read More

BlackCat Ransomware

Mar 31, 2022 2:57:30 PM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, BlackMatter, LockBit, BlackCat, ALPHV, DarkSide

0 Comments


Background

In our PolySwarm 2021 Year in Review, we made several predictions for this year, including that BlackCat ransomware would become more prevalent, due to its sophistication. BlackCat ransomware is ransomware as a service (RaaS), which was recently linked to the 

Read More

Surtr Ransomware

Mar 25, 2022 1:45:09 PM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, Surtr, REvil, Sodinokibi

0 Comments


Background

Arete recently reported on Surtr ransomware, a RaaS. A recently discovered Surtr sample paid tribute to the REvil/Sodinokibi ransomware gang.

Read More

Nokoyawa Ransomware

Mar 24, 2022 2:13:03 PM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, Hive, Nokoyawa

0 Comments



Background

Trend Micro recently reported on Nokoyawa, a ransomware family they discovered earlier this month. They stated Nokoyawa seems to have a connection with Hive ransomware, based on similarities in the attack chains of the two malware families.

Read More

CaddyWiper

Mar 21, 2022 1:45:31 PM / by PolySwarm Tech Team posted in Ukraine, Threat Bulletin, Wiper, CaddyWiper

0 Comments



Background

Since January, Ukraine has been targeted by several wiper malware families. In early February, we reported on the WhisperGate wiper. Earlier this month we spotlighted HermeticWiper and IsaacWiper. Ukraine was recently under attack by yet another wiper malware. ESET announced the discovery of CaddyWiper on March 14th in a tweet. Cisco Talos followed up a day later with more information on this malware.

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts