Kedi Rat is a new Trojan that can steal your information and send it back home using Gmail.


With advancement in knowledge rersources common people should also keep themselves updated about new developments in online security.  Researchers at SophosLabs have discovered a new RAT or Remote Access Trojan that can invade into windows. Kedi RAT steals data and sends it back home via Gmail. It is specifically designed for tracking down financial, personal and other vital information of infected computers.

This attack is not new, and adding to a long list of previous attacks, some of which were from CIA itself.

Kedi RAT can steal your information and send it through gmail
Kedi RAT
Image Art by TechScoop

The Kedi RAT

Kedi Rats are very sophisticated programs, not only they steal information but also keep in touch with their attacker. The attacker can keep control over the action of RAT and command its actions. For example, you stored your financial information in a certain directory or file with a relevant name. 
Rat sends directory structure of your computer and attacker will analyze and list out potential files that may contain useful information, like bank details, passwords, Documents, Photos etc. An attacker can instruct Kedi via remote access to send back files with certain names, extensions, or size only. As per Sopholabs, Kedi RAT was discovered last week, in a Spear Phishing Campaign.

General Phishing vs. Spear Phishing

Phishing is something when attackers masquerade a legitimate organization’s interface to lure you into giving up your information or money. Spear Phishing is more targeted and focuses on specific details of victims, like Name, Addresses, Phone Numbers, Workplace, Car’s model and make etc., it’s done in order to Phish user into giving up their personal information without making him / her suspicious.
For example, a general phishing attack may start as “Dear Customer” while a spear phishing attack may start as “Dear Mr Anderson”, where Anderson is the actual name of the victim. To add on the message may contain more specific details, like

“Your Car BMW i8’s EMI from your Bank, Bank of America, account number ending with XXX1234 has been declined, kindly contact support for avoiding late payment charges”.

Here the Car, Bank and the last digits of your account number may corroborate to your actual details, so you will most likely think that this is a legitimate email from the car dealership or bank, and victim more likely to fall into this trap.
The Spear Phishing can go more specific e.g. apart from your details, attackers can also use details of one’s family to fool them into phishing attack. The Spear Phishing attack indicates that attackers already have a lot of victim’s details with them, and Phishing is targeted toward specific victims only. It also implies that either victim or someone in victim’s circle has been a casualty of RAT or Kedi RAT like Trojans already.

Kedi RAT features

Apart from general RAT features, the Kedi RAT possesses Key logging capabilities, Anti Sandbox, Anti VM, and Root Control from C2 center, Screenshot capabilities, Filtering username, computer name and domain names. The Kedi RAT stores information in the base64 file, it receives commands from a Gmail message, extracts commands from it, executes commands, attaches results with header and again encrypts it back to base 64.

Security Analysis of Kedi RAT by SophosLabs.

Fraser Howard, Principal Virus Researcher at SophosLabs done an extensive analysis of Kedi RAT. The attack starts with a Spear Phishing Hook, the Kedi Rat masquerade itself as Citrix Update. Its payload is 32-bit Mono/.net executable so it can run on both in Linux and windows. It seems to be written in C#.
Kedi RAT can steal your information and send it through gmail
Kedi RAT masqurading as Citrix File
Source SophosLabs

The payload is stored in %Update% in Adobe Folder, Furthermore, the RAT creates a folder named “Screenshots” that contains screenshots of screens that it probably sends back to its Command and Control Center. The RAT further adds Registry hooks in victim’s registry, in order to identify the machine, as an MD5 digest. Recognition

Analysis of said Citrix file by Sopholabs it was revealed that the data sent by Trojan was encrypted. The encryption was a simple XOR based encryption, the decryption by Sopholabs revealed that the data was a pdf file containing information. The SHA256 of that PDF was used as the key string in Decryption loop.

Precautions against Phishing / RAT attacks

  • Only keep a genuine copy of operating systems and all programs that you have on your system.
  • Be careful while updating Softwares and Operating System, make sure you are downloading updates from genuine sites only, preferably from https enabled websites.
  • Make sure you are visiting correct website, check HTTPS certificate is from a reputed authority, also make sure that the URL is not phony, Nowa days you could be fooled into visiting a website having similar name as a genuine website, for example, genuine URL of Bank of America is Https://www.BankOfAmerica.com/ , instead an attacker can use similar sounding URL say https://TheBankOfAmerica.com/ .
  • There is also a popular method hackers use for the phishing attack, it’s called Homograph attack. A lot of browsers do not support all characters in Unicode character set, so instead of taking a similar domain name, a hacker can register a domain name with a Unicode in it that browsers do not support, for example, https://www.easy2hack.com can be posed as https://www.easyՁhack.com and no one will be the wiser.
  • Be wary of the emails you receive, DO NOT click on links and images that are in your email, check the source of the email, make sure it’s from a legitimate source, even then if it’s utmost necessary then click the link.
  • Banks, Government, Organizations never ask for your personal information neither they will call you asking for payments or personal information. If you receive a call claiming to be an IRS / FBI / CIA / MIB (:P) officer and ask for money in any way, they are phishing.
Best way to protect yourself is to be careful and be updated. Techscoop.in brings you best of Techworld and we will keep you updated about latest developments of technology. Subscribe us or follow us on Facebook

See also

WikiLeaks leaked CIA Missile Control Project’s Top Secret Data “The Protego”

WikiLeaks leaked CIA Missile Control Project’s Top Secret Data “The Protego” Wikileaks leaked secret files of Project Protego, that is related to CIA’s missile Control Program. The new leak is a threat to US Security as it unearths internal functioning of the missile program.
Load More Related Articles
Load More By Sushant Bhargav
Load More In Geeky Scoops
Comments are closed.

Check Also

10 ways for private internet access to stay anonymous & protect online privacy

10 Ways to stay anonymous while browsing and protect your online privacy. This article wil…