backdoor

HabitsRAT – A new Go malware targeting Windows and Linux

Researchers discovered a new type of malware written in the Go language and called it HabitsRAT. The malware targets both Windows and Linux platforms. At the time of the report, none of the antivirus engines on VirusTotal detected the Linux version of HabitsRAT. The malware allows an to remotely access and control the infected computer. The remote control command is composed of a private key signature that only the attacker has access to. The malware will not execute a command that is not signed with the correct key. The software is developed by highly skilled programmers.

On March 28th, researcher Brian Krebs published a blog about attacks on Microsoft servers. The Windows version of HabitsRAT discovered by the researchers was the malware described in the blog. In one of the attacks described in the blog, the deployed a webshell called “Babydraco”. The Webshell is used to deploy new malware. The file name of the binary file is “krebsonsecurity.exe” and uses the C2 server located at “brian [.] krebsonsecurity [.] top “. The malware was originally a remote access Trojan (RAT) written for Windows and Linux computers. Based on the string found in the malware, the researchers named it HabitsRAT.

Although it has been proved that the Windows version of the RAT has been installed on the infected Microsoft server, the type of server targeted by the Linux version is still unknown.

HabitsRAT is a multi-platform malware targeting Windows and Linux environments. There is a lot of code reuse between the two variants. It provides the with the ability to execute arbitrary code on the infected computer. In order to protect its C2 communication, PGP is used to encrypt and sign data. Make sure that the Internet-facing servers are patched to prevent HabitsRAT infection.

IOCs

185.193.126.198
brian.krebsonsecurity.top
brian-krebs-erectile-dysfunction.com
krebsonfellatio.net

0826be50ddcce047e13babef37fae76e
6a543b91f06cecdd2dd0ee707d977af6
2177fb8f49934333a201197d6f55378d
e955f5d3244dec8c908830ff6768a613
c5e413f5acffaa4fb0d108391cbd5de9
c7564ce063fdcd316768a421546a2468
5a4aeb3d8d086689b06464b46a464acdd250f98c
e056b16da39e4f7bd22cb2d6b348abb44b75df5a
b14c16842e68930f3a162588c28d82c6942dcfaf
2a6314775d4792a04b47c9c07585ff62357cc72d
421fb56bb53c3ed4ab76832ce9d6626d3b46dc53
f07e9ba9f466b39ef9d77c0252d28733f4f640f3
29ebf9771e52cde90776eeccd89aaf4c19577ef136258daef1a17c767ce88c9d
37a16e79e5be132d7e6c2e1ee482d80d93ad942af7110a4bc3a05f0b575236b0
5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb
9e840be4b4ab358bc3405e2c688f3ab1a9d286bd4fb9edb4468dc688962b4893
f556c9b4e5bb463be84dead45a9aedcf8bec41c1c2b503ea52719357943750e7
338e41f1a8be56339b039835b06d815a3666c8b0d5725b63be7bf54c8745704a