Kedi RAT
Posted: September 15, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 8/10 |
---|---|
Infected PCs: | 35 |
First Seen: | September 15, 2017 |
---|---|
OS(es) Affected: | Windows |
The Kedi RAT is a Remote Access Trojan that gives criminals control over your PC by implementing the commands that they issue, which can include uploading or downloading files, recording the user's keyboard input, and collecting private data. This Trojan's threat actors are using targeted e-mail attacks as their primary means of distributing it and may disguise it as one of several programs. Victims should have an anti-malware tool disinfect their PCs by uninstalling the Kedi RAT and take further precautions for re-securing any potentially collected data.
A 'Citrix Update' that's Worth Turning Down
Threat actors are operating a new RAT for attacking specific business, government and NGO entities, with its distribution focusing on these high-value targets narrowly. The Remote Access Trojan, the Kedi RAT, requires some degree of user error for succeeding at compromising PCs using its current methods but employs a pair of social engineering strategies for guaranteeing that success. Otherwise, malware experts note it as being a traditional but competent form of a backdoor Trojan.
The Kedi RAT begins as an e-mail attachment providing an update for Citrix NetScaler Gateway, a secure remote access utility. Even the installation process for the Kedi RAT includes an imitation pop-up and loading bar that maintains this disguise. Once it installs itself (which may or may not make some additional entries to the system's Registry), the Kedi RAT is in the file system as a series of fake Adobe software files. From there, malware experts note that it may launch various, standard attacks, many of which require commands that the threat actor issues.
Some of these features include:
- The Kedi RAT may take screenshots for capturing visual data from the PC.
- The Kedi RAT may record anything that the users type on their keyboards to a log file that it uploads to the threat actor's C&C server.
- The Kedi RAT also supports non-specific uploading and downloading activity that it may use for collecting additional files or dropping new threats onto the PC.
- The Kedi RAT can detect Virtual Machine environments and self-terminate for avoiding detection in such situations.
Its Command & Control structure also is of note. Besides using HTTPS or DNS-based methods of networking with its C&C, it also can use Gmail. These communications and some other internals of the Kedi RAT's software use the Base64 encoding for confusing any attempts at detecting harmful activity.
Keeping the 'Access' Portion of a RAT's Campaign Low
While the Kedi RAT is in use as a specialized tool that's not attacking the public indiscriminately, that could change, in future iterations of its campaign. For those who are affected, the Kedi RAT could facilitate the exfiltration of high-sensitivity data relatively without showing any symptoms. The Kedi RAT's software is a 32-bit program and, as usual, compatible with most versions of the Windows operating system.
Always install patches for software such as the OS, Adobe products, or your anti-virus product, all of which can harbor vulnerabilities or limitations that make blocking or identifying the Kedi RAT more difficult than it needs to be. Incoming e-mail messages should receive extra scrutiny for telltale signs of potential dangers, such as mismatched addresses in their links, unexpected file attachments or spoofed 'sender' identities. Traditional anti-malware products may remove the Kedi RAT securely, but, unless they do so immediately, may not be in time for stopping the theft of passwords and other information from an infected computer.
The Kedi RAT isn't a relative of other, well-known RATs, such as Ukraine's Vermin RAT, the rootkit-reminiscent RadRAT, or the document-exploiting PentagonRAT. However, it's very similar to all of these threats and shows how criminals can keep on making profitable use out of the recycling of old, but still-relevant techniques.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.