Threat Report: What is Sakula Malware and How Does it Work?

Sakula is a remote access tool that first surfaced in 2012 and was used in intrusions throughout 2015. Sakula affects the Windows operating system and uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files. 

Sakula Malware Capabilities

Sakula may use a variety of methods to avoid detection and persist on a system, including side-loading DLLs, deleting files, and encrypting or obfuscating communications. They may also add programs to startup folders or reference them in the Registry to achieve persistence.

• Sakula may use DLL side-loading to execute malicious payloads, and may delete files to cover their tracks. They may also attempt to make files and programs difficult to discover or analyze.
• Sakula may use known symmetric encryption algorithms to conceal command and control traffic, bypass UAC mechanisms to elevate process privileges, and create or modify Windows services to repeatedly execute malicious payloads.
• Sakula may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads. Sakula may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Sakula may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.

Ways to Mitigate Sakula Malware Attacks Capabilities

• The Sakula malware can be mitigated by monitoring processes for unusual activity, tracking DLL metadata, and comparing DLLs that are loaded at process execution time against previous executions to detect differences. It may also be possible to detect the malicious activity that caused the obfuscated file.
• Sakula malware attacks can be mitigated in several ways: by monitoring process and command-line activity for actions that could create or modify services; by collecting service utility execution and service binary path arguments for analysis; and by monitoring process API calls for behavior that may be indicative of process injection or unusual loaded DLLs. With symmetric encryption, it may also be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.
• The Sakula malware can be mitigated by using process monitoring to monitor the execution and arguments of rundll32.exe, and by comparing recent invocations of rundll32.exe with prior history to determine anomalous and potentially adversarial activity. Additionally, the Registry and start folder can be monitored for changes, and suspicious program execution can be detected as outliers when compared against historical data. Finally, network data can be analyzed for uncommon data flows, and packet contents can be examined for application layer protocols that do not follow expected standards.