Sakula

Sakula is a remote access trojan (RAT) that first surfaced in 2012 and is used against high profile targets. This RAT is used by Chinese advanced persistent threat (APT) groups Deep Panda and Aurora Panda to target victims in the aerospace, government, healthcare, and technology sectors, and was notoriously used in the Anthem healthcare company and Office of Personnel Management breaches of 2014. Sakula typically infects victim machines through strategic web compromises, exploiting vulnerabilities in websites that victims are likely to visit and trust. Sakula uses installers disguised as legitimate applications needed for website functionality. The installers masquerade as Adobe Self Extractor, CITRIX Access Gateway Secure Input, Juniper SSL VPN ActiveX Plugin, Microsoft Hotfix, and Security Exchange Mail Exchange ActiveX Control. Sakula maintains persistence on the network by setting the registry Run key in either the HKLM or HKCU hive. It obfuscates many of its strings using single-byte XOR obfuscation.

The RAT's capabilities include:

Create a named pipe to send shell commands over HTTP
Create remote shell using name pipes and cmd.exe
Download and execute payloads
Upload a file by path
Execute shell command
Update C2 server
Query malware status and report to C2
Uninstall malware and itself and run key entries
Put program to sleep mode

Reporting

August 2017: On August 23, FBI arrested alleged Sakula malware threat actor, Chinese national Yu Pingan. (CNN)

Technical Details

SecureWorks provides technical details on the Sakula RAT, available here.

Sakula installer purporting to be installing Microsoft Exchange software. Image Source: SecureWorks.

Trojan VariantsNJCCICApril 26, 2017Sakula