Sophos security researchers have found a new remote access Trojan (RAT) which can evade security scanners and communicate with its command and control (C&C) server via Gmail.
The new RAT is called Kedi and it was created for stealing users data. Similarly to most cyber viruses, the trojan is being spread via spear-phishing emails.
According to the experts, the observed attacks appear targeted with the malicious payload pretending to be a Citrix utility.
The capabilities of the Kedi RAT are the typical ones for this type of malware: file download/upload backdoors, AntiVM/anti-sandbox features, screenshot grabbing, keylogging, the ability to extract and run embedded secondary payloads, and to extract usernames, computer names, and domains.
The Sophos researchers claim that most of the above-mentioned features are command-driven.
The thing that makes the new RAT different from the other trojans is the ability to communicate with its C&C using Gmail (the Basic HTML version).
The security experts have also found that Kedi can talk to the server using DNS and HTTPS requests.
“Using Gmail to receive instructions from its C&C, Kedi navigates to the inbox, finds the last unread message, grabs content from message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message,” says Sophos.
Last week, the experts observed a spear-phishing attack distributing Kedi RAT.
The Sophos team warns that even though the new RAT doesn’t seem to have been involved in a widespread campaign by now, it could end up targeting more users soon.
Considering the experts’ warnings, users should be extremely careful when clicking on links or opening files they receive via email from unknown sources.
To stay safe, users are also advised to use trusted anti-virus applications and keep their systems and applications up to date at all times.
