The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lilith Ransomware

Aug 4, 2022 11:37:11 AM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, Lilith, Lilithcrypt

0 Comments



Executive Summary

Cyble recently reported on Lilith Ransomware, which appends the .lilith extension to encrypted files.

Read More

Recent Ransomware Threats to Healthcare

Jul 21, 2022 10:27:35 AM / by PolySwarm Tech Team posted in Threat Bulletin, North Korea, Ransomware, Iran, IcedID, Healthcare, Maui, Quantum, Hospital

0 Comments



Executive Summary

Multiple ransomware families have been used to target the healthcare vertical in the past year.  In this report, we cover recently reported attacks on the healthcare vertical leveraging Maui and Quantum ransomware families.

Read More

HavanaCrypt Distributed Via Fake Google Software Update

Jul 18, 2022 9:04:52 AM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, HavanaCrypt

0 Comments



Executive Summary

Trend Micro recently reported on HavanaCrypt ransomware, which is being distributed disguised as a fake Google software update.

Read More

Lockbit 3.0

Jul 14, 2022 10:29:24 AM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, LockBit, Lockbit 3.0, LockbitBlack

0 Comments



Executive Summary

Cluster25 recently reported on Lockbit 3.0, the latest version of Lockbit ransomware. Version 3.0 includes new features and a ransomware bug bounty program.

Read More

New Hive Ransomware Rust Variant

Jul 11, 2022 10:37:20 AM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, Hive, Rust

0 Comments



Executive Summary

Microsoft recently reported on a new variant of Hive ransomware written in Rust. This is a departure from previous versions, which were written in GoLang.

Key Takeaways

Read More

Black Basta Ransomware

Jul 5, 2022 12:33:54 PM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, Windows, Linux, Black Basta, Qbot

0 Comments



Executive Summary

Cybereason recently reported on Black Basta ransomware, which has claimed around 50 victims so far, making it a prominent threat.

Read More

Cerber2021 Targets Windows and Linux

Jun 30, 2022 10:18:47 AM / by PolySwarm Tech Team posted in Threat Bulletin, Ransomware, Cerber, CerberImposter, CVE-2022-26134, Cerber2021

0 Comments



Executive Summary

Cyble recently reported on the resurgence of Cerber2021 ransomware, which targets both Windows and Linux systems.

Key Takeaways

Read More

Borat RAT - A Triple Threat

Apr 8, 2022 10:25:51 AM / by PolySwarm Tech Team posted in Threat Bulletin, DDoS, Ransomware, Backdoor, BoratRAT

0 Comments



Background

Cyble recently published research on Borat RAT, a triple threat capable of providing backdoor access, facilitating spyware capabilities, and conducting DDoS and ransomware attacks. This emerging threat can be used to perform double and triple extortion attacks, where threat actors demand ransom and also threaten victims with the sale or leak of stolen data and DDoS attacks.


What is Borat RAT?

Borat RAT is a remote access trojan with extended capabilities allowing threat actors to spy on victims and conduct DDoS attacks and ransomware attacks. It is being sold on the underground and is advertised to have multiple features, allowing threat actors to tailor their attacks to a particular victim.


According to Cyble, Borat RAT comes as a package including a builder binary, supporting modules, and a server certificate. Threat actors have the option to compile the binary to perform DDoS and ransomware attacks.

Borat RAT has a number of features allowing threat actors to spy on and troll victims and to evade detection and maintain persistence. Its spyware features allow threat actors to recover saved Chrome and Edge browser passwords and Discord passwords. Other spyware features include keylogging, audio recording, and webcam recording.

Borat RAT has remote hVNC capabilities, such as hidden desktop and hidden browsers. It is advertised as having “remote fun” options allowing threat actors to troll or intimidate victims by turning peripherals on and off, enabling and disabling TaskMgr and Regedit, and showing or hiding the Start button. Borat RAT’s remote system options allow the threat actor to use remote shell, TCP,  reverse proxy, etc. Borat RAT also includes features allowing a threat actor to evade detection and maintain persistence.

IOCs

PolySwarm has a sample of Borat RAT.

b47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20e


You can use the following CLI command to search for all Borat RAT samples in our portal:

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts