Kedi RAT

Kedi RAT Description


The Kedi RAT is a Remote Access Trojan that gives criminals control over your PC by implementing the commands that they issue, which can include uploading or downloading files, recording the user's keyboard input, and collecting private data. This Trojan's threat actors are using targeted e-mail attacks as their primary means of distributing it and may disguise it as one of several programs. Victims should have an anti-malware tool disinfect their PCs by uninstalling the Kedi RAT and take further precautions for re-securing any potentially collected data.

A 'Citrix Update' that's Worth Turning Down

Threat actors are operating a new RAT for attacking specific business, government and NGO entities, with its distribution focusing on these high-value targets narrowly. The Remote Access Trojan, the Kedi RAT, requires some degree of user error for succeeding at compromising PCs using its current methods but employs a pair of social engineering strategies for guaranteeing that success. Otherwise, malware experts note it as being a traditional but competent form of a backdoor Trojan.

The Kedi RAT begins as an e-mail attachment providing an update for Citrix NetScaler Gateway, a secure remote access utility. Even the installation process for the Kedi RAT includes an imitation pop-up and loading bar that maintains this disguise. Once it installs itself (which may or may not make some additional entries to the system's Registry), the Kedi RAT is in the file system as a series of fake Adobe software files. From there, malware experts note that it may launch various, standard attacks, many of which require commands that the threat actor issues.

Some of these features include:

  • The Kedi RAT may take screenshots for capturing visual data from the PC.
  • The Kedi RAT may record anything that the users type on their keyboards to a log file that it uploads to the threat actor's C&C server.
  • The Kedi RAT also supports non-specific uploading and downloading activity that it may use for collecting additional files or dropping new threats onto the PC.
  • The Kedi RAT can detect Virtual Machine environments and self-terminate for avoiding detection in such situations.

Its Command & Control structure also is of note. Besides using HTTPS or DNS-based methods of networking with its C&C, it also can use Gmail. These communications and some other internals of the Kedi RAT's software use the Base64 encoding for confusing any attempts at detecting harmful activity.

Keeping the 'Access' Portion of a RAT's Campaign Low

While the Kedi RAT is in use as a specialized tool that's not attacking the public indiscriminately, that could change, in future iterations of its campaign. For those who are affected, the Kedi RAT could facilitate the exfiltration of high-sensitivity data relatively without showing any symptoms. The Kedi RAT's software is a 32-bit program and, as usual, compatible with most versions of the Windows operating system.

Always install patches for software such as the OS, Adobe products, or your anti-virus product, all of which can harbor vulnerabilities or limitations that make blocking or identifying the Kedi RAT more difficult than it needs to be. Incoming e-mail messages should receive extra scrutiny for telltale signs of potential dangers, such as mismatched addresses in their links, unexpected file attachments or spoofed 'sender' identities. Traditional anti-malware products may remove the Kedi RAT securely, but, unless they do so immediately, may not be in time for stopping the theft of passwords and other information from an infected computer.

The Kedi RAT isn't a relative of other, well-known RATs, such as Ukraine's Vermin RAT, the rootkit-reminiscent RadRAT, or the document-exploiting PentagonRAT. However, it's very similar to all of these threats and shows how criminals can keep on making profitable use out of the recycling of old, but still-relevant techniques.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Kedi RAT may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Posted: September 15, 2017
Threat Metric
Threat Level: 8/10
Infected PCs 35

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.