Software: Sakula, Sakurel, VIPER

From enterprise
Jump to: navigation, search
Sakula, Sakurel, VIPER
ID S0074
Aliases Sakula, Sakurel, VIPER
Type Malware
Platform Windows

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.1

Techniques Used

  • Registry Run Keys / Start Folder - Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.1
  • New Service - Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.1
  • DLL Side-Loading - Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.1
  • Rundll32 - Sakula calls cmd.exe to run various DLL files via rundll32.1
  • Command-Line Interface - Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.1
  • File Deletion - Some Sakula samples use cmd.exe to delete temporary files.1


The following groups use this software: