Disguised as Citrix Utility, Kedi RAT Exploits Gmail to Transfer Data

Remote Access Trojan (RAT) is one of the most used malicious software used by cyber criminals to target unsuspecting users. Based on its extensive use the IT security researchers at Sophos have discovered that there is a new RAT malware called Kedi that uses Gmail to steal data from the targeted computer.

The malware relies upon spear phishing mechanism for its distribution. The infected email opens a 32-bit Mono/.Net Windows executable that is written in C# language. The malware is disguised as a Citrix utility, but once it invades the targeted device, it changes its guise into an Adobe file and installs itself in Adobe’s %Appdata% folder. The registry starter hook shows this path:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Adobe Updates” = c:\Users\<username>\AppData\Roaming\Adobe\reader_sl.exe

While the infected endpoint is stored at:

HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\DefaultVisualStyle “HR” = <md5 of machine name>

Disguised as Critix Utility, Kedi RAT Exploits Gmail to Transfer Data
Kedi using Adobe to disguise (Credit: Naked Security)

Kedi RAT can evade security scanners and uses Gmail to create a connection with its C&C server. The main objective of spreading Kedi RAT is to steal data. The malware can perform a variety of functions most of which are command-driven, such as it is equipped with AntiVM/anti-sandbox features, it can upload and download backdoors, serve as a keylogger, capture screenshots, run embedded payloads and extract them too along with extracting usernames, domains, and computer IDs.

None of these functions are extraordinary but what makes it different and somewhat more efficient is that it can use Basic HTML version of Gmail as its main source for communicating with its C&C server while it can also use DNS and HTTPS requests to communicate.

It can upload and download backdoors, serve as a keylogger and capture screenshots from an infected defive

Through Gmail, the malware receives instructions from the attackers for performing its functions as well as it “navigates to the inbox, finds the last unread message, grabs content from the message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message,” explains Sophos’ blog post.

Sophos discovered the spear phishing attack last week, and it is not clear whether Kedi is involved in any other widespread campaign, but it is quite possible that it starts targeting more users soon enough.

Therefore, if you want to stay protected, it is important to be cautious while opening links or documents received via email from the unauthorized or unknown sender. Users must also keep their operating systems and all installed applications updated with latest security patches and install updated version of an anti-virus application.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'