Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [1]

ID: S0074
Associated Software: Sakurel, VIPER

Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1088Bypass User Account ControlSakula contains UAC bypass code for both 32- and 64-bit systems.[1]
EnterpriseT1059Command-Line InterfaceSakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[1]
EnterpriseT1024Custom Cryptographic ProtocolSakula encodes C2 traffic with single-byte XOR keys.[1]
EnterpriseT1073DLL Side-LoadingSakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[1]
EnterpriseT1107File DeletionSome Sakula samples use cmd.exe to delete temporary files.[1]
EnterpriseT1050New ServiceSome Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.[1]
EnterpriseT1027Obfuscated Files or InformationSakula uses single-byte XOR obfuscation to obfuscate many of its files.[1]
EnterpriseT1060Registry Run Keys / Startup FolderMost Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.[1]
EnterpriseT1105Remote File CopySakula has the capability to download files.[1]
EnterpriseT1085Rundll32Sakula calls cmd.exe to run various DLL files via rundll32.[1]
EnterpriseT1071Standard Application Layer ProtocolSakula uses HTTP for C2.[1]


Groups that use this software:

Deep Panda