Researchers discovered a new type of malware written in the Go language and called it HabitsRAT. The malware targets both Windows and Linux platforms. At the time of the report, none of the antivirus engines on VirusTotal detected the Linux version of HabitsRAT. The malware allows an attacker to remotely access and control the infected computer. The remote control command is composed of a private key signature that only the attacker has access to. The malware will not execute a command that is not signed with the correct key. The software is developed by highly skilled programmers.
On March 28th, researcher Brian Krebs published a blog about attacks on Microsoft Exchange servers. The Windows version of HabitsRAT discovered by the researchers was the malware described in the blog. In one of the attacks described in the blog, the attacker deployed a webshell called “Babydraco”. The Webshell is used to deploy new malware. The file name of the binary file is “krebsonsecurity.exe” and uses the C2 server located at “brian [.] krebsonsecurity [.] top “. The malware was originally a remote access Trojan (RAT) written for Windows and Linux computers. Based on the string found in the malware, the researchers named it HabitsRAT.
Although it has been proved that the Windows version of the RAT has been installed on the infected Microsoft Exchange server, the type of server targeted by the Linux version is still unknown.
HabitsRAT is a multi-platform malware targeting Windows and Linux environments. There is a lot of code reuse between the two variants. It provides the attacker with the ability to execute arbitrary code on the infected computer. In order to protect its C2 communication, PGP is used to encrypt and sign data. Make sure that the Internet-facing servers are patched to prevent HabitsRAT infection.