S0074 Sakula
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. 1
| Item | Value |
|---|---|
| ID | S0074 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Sakula contains UAC bypass code for both 32- and 64-bit systems.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Sakula uses HTTP for C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Sakula encodes C2 traffic with single-byte XOR keys.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee’s Outlook Scan About Box to load malicious DLL files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Some Sakula samples use cmd.exe to delete temporary files.1 |
| enterprise | T1105 | Ingress Tool Transfer | Sakula has the capability to download files.1 |
| enterprise | T1027 | Obfuscated Files or Information | Sakula uses single-byte XOR obfuscation to obfuscate many of its files.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Sakula calls cmd.exe to run various DLL files via rundll32.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0009 | Deep Panda | 2 |