Home Geeky Scoop Kedi RAT can steal your information and send it through gmail

Kedi RAT can steal your information and send it through gmail

12 min read
Comments Off on Kedi RAT can steal your information and send it through gmail

Kedi Rat is a new Trojan that can steal your information and send it back home using Gmail.

With advancement in knowledge resources, common people should also keep themselves updated about new developments in online security.  Researchers at SophosLabs have discovered a new RAT or Remote Access Trojan that can invade into windows. Kedi RAT steals data and sends it back home via Gmail. It is specifically designed for tracking down financial, personal and other vital information of infected computers.This attack is not new and adding to a long list of previous attacks, some of which were from CIA itself.
Kedi RAT can steal your information and send it through gmail
Kedi RAT
Image Art by TechScoop


The Kedi RAT

Kedi Rats are very sophisticated programs, apart from stealing information it keeps in touch with their attacker. The attacker can keep control over the action of RAT and command its actions. For example, you stored your financial information in a certain directory or file with a relevant name.
Rat sends directory structure to your computer and attacker will analyze and list out potential files that may contain useful information. This information can have bank details, passwords, Documents, Photos etc. An attacker can instruct Kedi via remote access to send back files with certain names, extensions, or size only. As per Sopholabs, Kedi RAT was discovered last week, in a Spear Phishing Campaign.

General Phishing vs. Spear Phishing

Phishing is something when attackers masquerade a legitimate organization’s interface to lure you into giving up your information or money. Spear Phishing is more targeted and focuses on specific details of victims, like Name, Addresses, Phone Numbers, Workplace, Car’s model and make etc., it’s done in order to Phish user into giving up their personal information without making him / her suspicious.

For example, a general phishing attack may start as “Dear Customer” while a spear phishing attack may start as “Dear Mr Anderson”, where Anderson is the actual name of the victim. To add to the message may contain more specific details, like

“Your Car BMW i8’s EMI from your Bank, Bank of America, account number ending with XXX1234 has been declined, kindly contact support for avoiding late payment charges”.
Here the Car, Bank and the last digits of your account number may corroborate to your actual details, so you will most likely think that this is a legitimate email from the car dealership or bank, and victim more likely to fall into this trap.
The Spear Phishing can go more specific e.g. apart from your details, attackers can also use details of one’s family to fool them into phishing attack. The Spear Phishing attack indicates that attackers already have a lot of victim’s details with them. And the Phishing targets specific victims only. It also implies that either victim or someone in victim’s circle has been a casualty of RAT or Kedi RAT like Trojans already.

Kedi RAT Characterstics

Apart from general RAT features, the Kedi RAT possesses Key logging capabilities, Anti Sandbox, Anti VM, and Root Control from C2 centre, Screenshot capabilities, Filtering username, computer name and domain names. The Kedi RAT stores information in the base64 file, it receives commands from a Gmail message, extracts commands from it, executes commands, attaches results with header and again encrypts it back to base 64.

Security Analysis of Kedi RAT by SophosLabs.


Fraser Howard, Principal Virus Researcher at SophosLabs done an extensive analysis of Kedi RAT. The attack starts with a Spear Phishing Hook, the Kedi Rat masquerade itself as Citrix Update. Its payload is 32-bit Mono/.net executable so it can run on both in Linux and windows. It seems to be written in C#.
Kedi RAT can steal your information and send it through gmail
Kedi RAT masquerading as Citrix File
Source SophosLabs
The payload is stored in %Update% in Adobe Folder, Furthermore, the RAT creates a folder named “Screenshots” that contains screenshots of screens that it probably sends back to its Command and Control Center.
The RAT further adds Registry hooks in victim’s registry, in order to identify the machine, as an MD5 digest. Recognition
Analysis of said Citrix file by SophosLabs it was revealed that the data sent by Trojan was encrypted. The encryption was a simple XOR-based encryption, the decryption by SophosLabs revealed that the data was a pdf file containing information. The SHA256 of that PDF was used as the key string in Decryption loop.


Precautions against Phishing / RAT attacks


  • Only keep a genuine copy of operating systems and all programs that you have on your system.
  • Be careful while updating Softwares and Operating System, make sure you are downloading updates from genuine sites only, preferably from https enabled websites.
  • Make sure you are visiting correct website,
    • Check the HTTPS certificate is genuine and from a reputed authority.
    • Also, make sure that the URL is not phoney, Nowadays users attackers are tricking users into visiting a website having a similar name as a genuine website.
      • For example, genuine URL of Bank of America is Https://www.BankOfAmerica.com/, instead, an attacker can use similar sounding URL say https://TheBankOfAmerica.com/. Not that Banks won’t rip you off, but at least they will give you a receipt for it (😜).
  • There is also a popular method hackers use for the phishing attack, it’s called Homograph attack. A lot of browsers do not support all characters in Unicode character set. So, instead of taking a similar domain name, a hacker can register a domain name with a Unicode in it that browsers do not support. For example, https://www.easy2hack.com can be posted as https://www.easyՁhack.com and no one will be the wiser.
  • Be wary of the emails you receive, DO NOT click on links and images that are in your email, check the source of the email, make sure it’s from a legitimate source, even then if it’s utmost necessary then click the link.
  • Banks, Government, Organizations never ask for your personal information neither they will call you asking for payments or personal information. If you receive a call claiming to be an IRS / FBI / CIA / MIB (:P) officer and ask for money in any way, they are phishing.
Best way to protect yourself is to be careful and be aware of latest tech trends. Techscoop.in brings you best of Techworld and we will keep you updated about latest developments in technology. Subscribe us or follow us on Facebook.

See also

WikiLeaks leaked CIA Missile Control Project’s Top Secret Data “The Protego”

WikiLeaks leaked CIA Missile Control Project’s Top Secret Data “The Protego” Wikileaks leaked secret files of Project Protego, that is related to CIA’s missile Control Program. The new leak is a threat to US Security as it unearths internal functioning of the missile program.



Load More Related Articles
Load More By Sushant Bhargav
Load More In Geeky Scoop

Check Also

Get a Genuine Windows 10 for as cheap as $3 | Legal and Working

1 Get Genuine Windows 10 for as low as $ 3 You can own a legitimate windows 10 for as low …