Kedi RAT Description
The Kedi RAT is a Remote Access Trojan that gives criminals control over your PC by implementing the commands that they issue, which can include uploading or downloading files, recording the user's keyboard input, and collecting private data. This Trojan's threat actors are using targeted e-mail attacks as their primary means of distributing it and may disguise it as one of several programs. Victims should have an anti-malware tool disinfect their PCs by uninstalling the Kedi RAT and take further precautions for re-securing any potentially collected data.
A 'Citrix Update' that's Worth Turning Down
Threat actors are operating a new RAT for attacking specific business, government and NGO entities, with its distribution focusing on these high-value targets narrowly. The Remote Access Trojan, the Kedi RAT, requires some degree of user error for succeeding at compromising PCs using its current methods but employs a pair of social engineering strategies for guaranteeing that success. Otherwise, malware experts note it as being a traditional but competent form of a backdoor Trojan.
The Kedi RAT begins as an e-mail attachment providing an update for Citrix NetScaler Gateway, a secure remote access utility. Even the installation process for the Kedi RAT includes an imitation pop-up and loading bar that maintains this disguise. Once it installs itself (which may or may not make some additional entries to the system's Registry), the Kedi RAT is in the file system as a series of fake Adobe software files. From there, malware experts note that it may launch various, standard attacks, many of which require commands that the threat actor issues.
Some of these features include:
- The Kedi RAT may take screenshots for capturing visual data from the PC.
- The Kedi RAT may record anything that the users type on their keyboards to a log file that it uploads to the threat actor's C&C server.
- The Kedi RAT also supports non-specific uploading and downloading activity that it may use for collecting additional files or dropping new threats onto the PC.
- The Kedi RAT can detect Virtual Machine environments and self-terminate for avoiding detection in such situations.
Its Command & Control structure also is of note. Besides using HTTPS or DNS-based methods of networking with its C&C, it also can use Gmail. These communications and some other internals of the Kedi RAT's software use the Base64 encoding for confusing any attempts at detecting harmful activity.
Keeping the 'Access' Portion of a RAT's Campaign Low
While the Kedi RAT is in use as a specialized tool that's not attacking the public indiscriminately, that could change, in future iterations of its campaign. For those who are affected, the Kedi RAT could facilitate the exfiltration of high-sensitivity data relatively without showing any symptoms. The Kedi RAT's software is a 32-bit program and, as usual, compatible with most versions of the Windows operating system.
Always install patches for software such as the OS, Adobe products, or your anti-virus product, all of which can harbor vulnerabilities or limitations that make blocking or identifying the Kedi RAT more difficult than it needs to be. Incoming e-mail messages should receive extra scrutiny for telltale signs of potential dangers, such as mismatched addresses in their links, unexpected file attachments or spoofed 'sender' identities. Traditional anti-malware products may remove the Kedi RAT securely, but, unless they do so immediately, may not be in time for stopping the theft of passwords and other information from an infected computer.
The Kedi RAT isn't a relative of other, well-known RATs, such as Ukraine's Vermin RAT, the rootkit-reminiscent RadRAT, or the document-exploiting PentagonRAT. However, it's very similar to all of these threats and shows how criminals can keep on making profitable use out of the recycling of old, but still-relevant techniques.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Kedi RAT may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.