A new outside access trojan (RAT) known as Kedi phones home and transmits a schlemihl’s stolen data to attackers using Gmail.The malware relies on spear-phishing, one of the most unrefined types of phishing attacks, for distribution. These attack emails spread a 32-bit Mono/.Net Windows executable, scribbled in C#, that masquerades as a Citrix tool. It then changes its disguise to Adobe pigeon-hole after it installs itself in the Adobe folder of %Appdata%.
Kedi’s Adobe counterfeit. (Source: Naked Security)Kedi comes with some configuration information that it protects using XOR-based encryption. This data carries instructions for the usual functions of a RAT, such as grabbing screenshots and logging keystrokes. The malware then stands the information it stole from a victim and sends it back to its attackers. It can do so via DNS and HTTPS. But what causes Kedi unique is its ability to phone home using Gmail.Unconcealed Security author Bill Brenner elaborates on this technique:“Capitalize oning Gmail to receive instructions from its C2, Kedi navigates to the inbox, wins the last unread message, grabs content from message assemblage and parses commands from this content. To send information second to command and control, base64 encodes the message data, replies to the received declaration, adds encoded message data and sends its message.”No doubt malware developers planned Kedi’s Gmail functionality in an attempt to prevent security researchers from noting the threat. It’s reasonable to assume that other bad actors will go to these lengths to dehydrate their malware, as well.With that said, users and obligations should work to prevent a malware infection. First, they should position an anti-virus solution on all workstations and keep that solution updated. Support, organizations should conduct ongoing phishing awareness training with their workers. Lastly, businesses should develop a vulnerability management program that’s clever of quickly addressing known security issues.To do a better job of keeping up with the thousands of vulnerabilities shot each day, click here.