Related Families: ALPHV
Executive Summary
Fin8 was observed leveraging Sardonic backdoor to deliver ALPHV ransomware.
Jul 24, 2023 2:44:05 PM / by The Hivemind posted in Threat Bulletin, ALPHV, Backdoor, Fin8, Sardonic
Related Families: ALPHV
Jul 17, 2023 2:08:32 PM / by The Hivemind posted in Threat Bulletin, Financial, Government, China, Backdoor, Vixen Panda, Graphican
Related Families: Ketrican, BS2005
Verticals Targeted: Government, Financial
Oct 31, 2022 1:16:52 PM / by PolySwarm Tech Team posted in Threat Bulletin, India, Pakistan, Backdoor, Sidewinder, WarHawk
Executive Summary
Zscaler recently reported on WarHawk, a new backdoor used by the Indian threat actor group SideWinder.
Oct 3, 2022 3:59:17 PM / by PolySwarm Tech Team posted in Threat Bulletin, Linux, Backdoor, SparklingGoblin, SideWalk
Related Families: Specter RAT, SideWalk (Windows)
Verticals Targeted: Education
Executive Summary
ESET recently reported on a SideWalk Linux variant. SideWalk is a backdoor used by the SparklingGoblin threat actor group.
Jul 8, 2022 2:33:33 PM / by PolySwarm Tech Team posted in Threat Bulletin, Government, Backdoor, SessionManager, NGO, IIS
Executive Summary
Kaspersky recently reported on SessionManager, a difficult to detect backdoor targeting governments and NGOs in multiple countries.
Apr 8, 2022 1:25:51 PM / by PolySwarm Tech Team posted in Threat Bulletin, DDoS, Ransomware, Backdoor, BoratRAT
Background
Cyble recently published research on Borat RAT, a triple threat capable of providing backdoor access, facilitating spyware capabilities, and conducting DDoS and ransomware attacks. This emerging threat can be used to perform double and triple extortion attacks, where threat actors demand ransom and also threaten victims with the sale or leak of stolen data and DDoS attacks.
What is Borat RAT?
Borat RAT is a remote access trojan with extended capabilities allowing threat actors to spy on victims and conduct DDoS attacks and ransomware attacks. It is being sold on the underground and is advertised to have multiple features, allowing threat actors to tailor their attacks to a particular victim.
According to Cyble, Borat RAT comes as a package including a builder binary, supporting modules, and a server certificate. Threat actors have the option to compile the binary to perform DDoS and ransomware attacks.
Borat RAT has a number of features allowing threat actors to spy on and troll victims and to evade detection and maintain persistence. Its spyware features allow threat actors to recover saved Chrome and Edge browser passwords and Discord passwords. Other spyware features include keylogging, audio recording, and webcam recording.
Borat RAT has remote hVNC capabilities, such as hidden desktop and hidden browsers. It is advertised as having “remote fun” options allowing threat actors to troll or intimidate victims by turning peripherals on and off, enabling and disabling TaskMgr and Regedit, and showing or hiding the Start button. Borat RAT’s remote system options allow the threat actor to use remote shell, TCP, reverse proxy, etc. Borat RAT also includes features allowing a threat actor to evade detection and maintain persistence.
IOCs
PolySwarm has a sample of Borat RAT.
b47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20e
You can use the following CLI command to search for all Borat RAT samples in our portal:
Apr 1, 2022 1:19:34 PM / by PolySwarm Tech Team posted in Threat Bulletin, Serpent, Chocolatey, Backdoor, Python