Security vendor Sophos reported on a new Remote Access Trojan (RAT) Kedi. This RAT is capable of
- downloading additional malware/backdoor
- keystroke logging
- Capturing screenshots and stealing information from infected system.
Kedi RAT arrives on a victim’s machine via spear phishing emails consisting of Kedi RAT installer file. The files purport to be legitimate Citrix NetScaler Unified Gateway installer.
On execution, RAT communicates with C2 server over DNS or HTTPS protocol. Also, this RAT leverages victim’s Gmail account to communicate with C2 server i.e. receiving commands and sending stolen information is done via victim’s gmail account.