Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Kedi RAT Uses Gmail to Exfiltrate Data

Kedi RAT Pretends to be a Citrix Utility, Transfers Data Using Gmail

Kedi RAT Pretends to be a Citrix Utility, Transfers Data Using Gmail

A newly discovered remote access Trojan (RAT) capable of evading security scanners communicates with its command and control (C&C) server via Gmail, Sophos has discovered.

Dubbed Kedi, the RAT was designed to steal data and is being spread via spear-phishing emails, the security researchers say. The observed attacks appear targeted with the malicious payload masquerading as a Citrix utility.

The RAT’s capabilities aren’t out of the ordinary: AntiVM/anti-sandbox features, the ability to extract and run embedded secondary payloads, file download/upload backdoors, screenshot grabbing, keylogging, and the ability to extract usernames, computer names, and domains. According to Sophos, most of these features are command-driven.

What makes the Trojan stand out from the crowd, however, is its ability to communicate with its C&C using Gmail (the Basic HTML version). Nonetheless, the malware can also talk to the server using DNS and HTTPS requests, the security researchers have discovered.

“Using Gmail to receive instructions from its C&C, Kedi navigates to the inbox, finds the last unread message, grabs content from message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message,” Sophos reveals.

The spear-phishing attack distributing the threat was observed last week. While Kedi doesn’t appear to have been involved in a widespread campaign to date, it could end up targeting more users soon, Sophos warns.

To stay protected, users should pay close attention when clicking on links or opening files they receive via email from unknown sources. Users are also advised to keep operating systems and applications up to date at all time, as well as to use and maintain an anti-virus application.

Related: Backdoored RAT Builder Kit Offered for Free

Related: New RAT Uses Popular Sites for Command and Control

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.