Site icon Sophos News

Beware the Kedi RAT pretending to be a Citrix file that Gmails home

Thanks to Fraser Howard, principal threat researcher with SophosLabs, for the research this article is based on.

Researchers have discovered a new remote-access Trojan (RAT) called Kedi, which can snoop on infected systems, steal data and evade security scanners. It was attached to a spear phishing campaign when it was first discovered last week.

The attacks appear to be targeted rather than widespread and Kedi certainly behaves as most RATs do. But it has more flexibility than most in how it communicates with its command-and-control (C2) center. Among other things, it can use Gmail to receive instructions and transmit data.

The spear-phishing hook

The payload is a 32-bit Mono/.Net Windows executable, written in C#. It masquerades as a Citrix utility, both in its resources (properties) and the splash screen displayed on startup:

The payload installs itself into the %Appdata% within an Adobe folder. At that point, it’s masquerading as an Adobe file. The payload is accompanied by a lock file (.lck) and a folder into which it will presumably save screenshots.

Depending on its configuration, a registry startup hook might be added, making it look like this:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Adobe Updates” = c:\Users\<username>\AppData\Roaming\Adobe\reader_sl.exe

It creates an identifier for the infected endpoint using the MD5 of the machine name, and stores it in the Registry (as binary data):

HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\DefaultVisualStyle “HR” = <md5 of machine name>

Features

The RAT has all the features a researcher would expect to find, including:

Most of these features are command-driven.

Encrypt/decrypt process

To get things started when first run on a machine, the RAT contains some default configuration data.

After trimming and base64 decoding, the data appears to be encrypted:

Code analysis reveals that the RAT protects its configuration data with a simple xor-based encryption loop. It contains an embedded PDF, the SHA256 of which is used as the key string in the decryption loop:

Gmail to command-control

Central to pretty much all RATs is their ability to call home and transfer data between attacker and victim. Kedi is a particularly interesting case because it can do this using Gmail – specifically, the Basic HTML version. It can also talk to its C2 using DNS and HTTPS.

Using Gmail to receive instructions from its C2, Kedi navigates to the inbox, finds the last unread message, grabs content from message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message.

It’s interesting to see how attackers keep trying to be more inventive in their approach to call home and make it harder for the good guys to detect and block its activity, Howard said.

Defensive measures

As noted above, this does not look like a widespread attack. But that’s cold comfort if you’re the one who’s targeted. For any type of malware, we recommend the following:

Since this looks like a case of spear phishing, the best way to avoid the trap is to:


Exit mobile version