HabitsRAT Description

HabitsRAT is a new malware threat written in the Go programming language. It seems that more cybercriminals are starting to use Go specifically, as malware created with it appears to be harder for detection by anti-malware products. The main purpose of HabitsRAT, as its name suggests, is to act as a Remote Access Trojan (RAT) giving the threat actor control over the compromised system. When the threat was discovered by cybersecurity analysts initially, it was being deployed in an attack campaign targeting Microsoft Exchange servers. Since then, however, a new Windows variant has been released alongside a variant that is capable of infecting Linux servers.

While the design of HabitsRAT seems simple enough, its functionality makes the threat quite effective. The code structure of the Windows and Linux versions shares considerable overlap with the system-specific code being contained in the 'commandplatform_windows.go,' 'keyplatform_windows.go' and 'persistencehandler_windows.go' files. Upon execution, the binary of the threat installs itself into a folder on the drive - '%SystemDrive%WindowsDefenderMsMpEng.exe' for Windows and '$HOME/.config/polkitd/polkitd' on Linux. The next action performed by HabitsRAT is to check if its persistence mechanism has been already established. If not, the threat will proceed to create an 'xml' scheduled task on Windows while on Linux it uses a 'systemd' unit file.

An Encryption Key Verifies HabitsRAT Commands

To make sure that their threatening tool is not taken over by another party, the cybercriminals have implemented an encryption feature. HabitsRAt uses public cryptography to encrypt, as well as to authenticate the commands it receives from the Command-and-Control (C2, C&C) servers of the attack campaign. The public-private key pair is generated using the Proton Mail open-source library.

The authentication key is stored on the disk. The Linux version of HabitsRAT writes to either '$HOME/.config/.accounts-daemon/accounts-daemon.login.conf' or '/usr/share/accounts-daemon/accounts-daemon.so' depending on whether it is signed as a normal user or not. The Windows versions of the threat use '%SystemDrive%WindowsDefenderMsMpEng.dll' or '%APPDATA%Windows NTDefenderMsMpEng.dll' instead.

If no command is received, HabitsRAT sleeps itself for 10 seconds and then sends another request to the C2 servers. All incoming communication must be signed by the threat actor with the right key.

A New Windows Version of HabitsRAT

Cybersecurity researchers caught a new version of the HabitsRAT variant that targets Windows systems. The HabitsRAT version 12 appears to possess much of the same functionality displayed by its predecessor. The main difference is that a new C2 key is being required while HabitsRAT now supports multiple C2 addresses. More specifically, four different addresses have been identified with the threat picking one of them at random. The list of addresses is stored in two files - '%SystemDrive%WindowsDefenderDefender.dll' and
'%APPDATA%Windows NTDefenderDefender.dll.'