Sakula is a remote access trojan (RAT) that first surfaced in 2012 and is used against high profile targets. This RAT is used by Chinese advanced persistent threat (APT) groups Deep Panda and Aurora Panda to target victims in the aerospace, government, healthcare, and technology sectors, and was notoriously used in the Anthem healthcare company and Office of Personnel Management breaches of 2014. Sakula typically infects victim machines through strategic web compromises, exploiting vulnerabilities in websites that victims are likely to visit and trust. Sakula uses installers disguised as legitimate applications needed for website functionality. The installers masquerade as Adobe Self Extractor, CITRIX Access Gateway Secure Input, Juniper SSL VPN ActiveX Plugin, Microsoft Hotfix, and Security Exchange Mail Exchange ActiveX Control. Sakula maintains persistence on the network by setting the registry Run key in either the HKLM or HKCU hive. It obfuscates many of its strings using single-byte XOR obfuscation.

The RAT's capabilities include:

• Create a named pipe to send shell commands over HTTP
• Create remote shell using name pipes and cmd.exe
• Download and execute payloads
• Upload a file by path
• Execute shell command
• Update C2 server
• Query malware status and report to C2
• Uninstall malware and itself and run key entries
• Put program to sleep mode

Reporting

• August 2017: On August 23, FBI arrested alleged Sakula malware threat actor, Chinese national Yu Pingan. (CNN)

Technical Details

• SecureWorks provides technical details on the Sakula RAT, available here.