Sakula Malware Family

Summary

Dell SecureWorks Counter Threat Unit™ (CTU™) researchers analyzed multiple versions of a remote access trojan (RAT) named Sakula (also known as Sakurel and VIPER). The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Sakula uses HTTP GET and POST communication for command and control (C2). Network communication is obfuscated with single-byte XOR encoding. Sakula also leverages single-byte XOR encoding to obfuscate various strings and files embedded in the resource section, which are subsequently used for User Account Control (UAC) bypass on both 32 and 64-bit systems. Most samples maintain persistence through a registry Run key, although some samples configure themselves as a service.

Analysis

CTU researchers performed detailed analysis on 346 Sakula samples, including the installer and all dropped files used by the malware to run. The earliest compilation timestamp is November 21, 2012. As of this publication, the most recent sample observed by CTU researchers was compiled on January 1, 2015. Some installers compiled in 2013 are configured to drop samples compiled in 2014, suggesting that the initial installer has been successful and that the adversary has a build process that permits them to easily re-use components. Multiple samples include their debug information, which yielded properties like LANG_NAME and SUBLANG_NAME (whose values are 'LANG_CHINESE' and 'SUBLANG_CHINESE_SIMPLIFIED', respectively).

Delivery

CTU researchers observed a copy of Sakula being delivered in a strategic web compromise (SWC) that exploited CVE-2014-0322, which was a zero-day vulnerability in Internet Explorer at the time of compromise. A subset of Sakula variants are digitally signed, allowing them to bypass security controls and providing users with a false sense of security that the software is legitimate. Table 1 lists the publisher names, thumbprints, and serial numbers used by Sakula to digitally sign its installer component.

Table 1. Signature properties of certificates used to sign Sakula malware.

Some installers masqueraded as the following applications and used social engineering to convince users that the applications were required to do business:

• Adobe Self Extractor
• CITRIX Access Gateway Secure Input
• Juniper SSL VPN ActiveX Plugin
• Microsoft Hotfix
• Security Exchange Mail Exchange ActiveX Control

Figures 1 through 5 show the status windows that the Sakula installers display to victims.

Figure 1. Screenshot of Sakula installer purporting to be installing Adobe software. (Source: Dell SecureWorks)

Figure 2. Screenshot of Sakula installer purporting to be installing Juniper software. (Source: Dell SecureWorks)

Figure 3. Screenshot of Sakula installer purporting to be installing Exchange software. (Source: Dell SecureWorks)

Figure 4. Screenshot of Sakula installer purporting to be installing Juniper software. (Source: Dell SecureWorks)

Figure 5. Screenshot of Sakula installer purporting to be installing a Microsoft ActiveX Control. (Source: Dell SecureWorks)

Installation

In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) in either the HKLM or HKCU hive. The hive decision is based on the installer's ability to write to the %TEMP% directory. Through 2013, registry persistence was set using standard Windows APIs. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe:

cmd.exe /c reg add %s\Software\Microsoft\Windows\CurrentVersion\Run /v "%s" /t REG_SZ /d "%s"

The registry value and filename vary by sample. CTU researchers extracted the following parameters:

Values:

• MicroMedia
• JuniperACX
• MicroSoftMedia
• CCPUpdate
• SenseSvc

Filenames:

• MediaCenter.exe
• AdobeUpdate.exe
• JuniperSafeACX.exe
• MicroPlayerUpdate.exe
• CitrixReciever.exe
• SensrSvc.exe
• SensrSvc2013.exe
• MicroSoftSecurityLogin.ocx
• Utmm.ocx
• Sweep.exe
• pdfforie.exe
• shiape.exe

In the cases where Sakula does not use a registry key for persistence, it attempts to set itself up as a service (see Table 2). It invokes itself by calling WinExec with the "net start %s" argument (without quotes), where "%s" is the service name.

Table 2. Properties used by Sakula when setting itself up as a service.

Other than the service setup, the resident file location is fairly consistent across all samples. Most Sakula samples install their components within a directory under %TEMP%. The actual value of the environment variable is identified by an API call to ExpandEnvironmentStringsA. Three of the analyzed samples placed files in %APPDATA%, while the remaining Sakula samples placed files in a directory under %ALLUSERSPROFILE%. A small number of samples did not use an additional subdirectory. CTU researchers discovered Sakula files being installed under the following directory paths:

• %TEMP%\MicroMedia\
• %TEMP%\JuniperACX\
• %TEMP%\MicroMedia\
• %TEMP%\MicroSoftMedia\
• %ALLUSERSPROFILE%\MicroMediaCCP\
• %TEMP%\
• %ALLUSERSPROFILE%\
• %APPDATA%\

The 2014 samples maintain persistence with the same SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ registry key, but Sakula leverages DLL side-loading, which involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The legitimate application is a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations. When the Kaspersky application is run, it loads a file named msi.dll, which is located within the same directory. The msi.dll file is configured to read and XOR-decode setup.msi, also located in the same directory, and run it in memory. The XOR-decode process, which skips zeroes, uses the single-byte key 0x88.

The 2015 sample differs from the 2014 samples in the files used and how the persistence mechanism is executed. Instead of the Kaspersky application, the 2015 sample uses a legitimately signed file from McAfee's Outlook Scan About Box application. Sakula names this file either MicroWhoknow.dll or Emabout.dll. There are two additional files within the same directory. The first, shutil.dll, is loaded by MicroWhoknow.dll or Emabout.dll and is configured to read and XOR-decrypt Thumbs.db using the same XOR key value as setup.msi. The other is the registry key used for persistence, which uses VBScript to call cmd.exe to run a DLL via the rundll32 application, passing the Plugupdate export within the MicroWhoKnow.dll as its entry point:

HKU\Software\Microsoft\Windows\CurrentVersion\Run\MicroWhoknow: "mshta vbscript:CreateObject("WScript.Shell").Run("cmd /c cd C:\Users\user\AppData\Local\Temp\MicroWhoknow && rundll32 MicroWhoknow.dll Plugupdate",0)(window.close)" 

Multiple samples contain UAC bypass code for both 32 and 64-bit systems. The UAC bypass code is stored as 'DAT' in the file's resource section. The two DLLs are stored in separate items, identified as 101 and 102. The files are single-byte XOR-encoded with the value 0x24. The decode process skips hex bytes identical to the XOR key and zeroes. Based on whether the compromised system is 32-bit or 64-bit, the appropriate file is written and run using cmd.exe calling rundll32 on the DLL with the PlayWin32 or PlayWin64 export.

Persistence for the UAC bypass DLL file is maintained via a SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ registry key in the HKLM or HKCU hive, with the value "CCPUpdate". Other Sakula variants temporarily write the files to disk and execute each time the main Sakula application is called. In these cases, the temporary file is written to the %TEMP% directory, and the filename is a combination of numbers generated from a call to GetTickCount and the '.dat' extension (e.g., 2225260.dat). In some instances, the filename is prefaced with the word "Center" (e.g., Center509671.dat).

In a small group of Sakula samples from 2013, the install process also modified the hosts file to point some of the victim's subdomains to various IP addresses within the victim's own organization. The malware also registered a file as a command component within the registry.

In the Sakula samples where the install process performed cleanup, the malware invoked cmd.exe. This process was instantiated by first performing a ping request to localhost to ensure the install process completed before the temporary file was deleted:

C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 & del /q %TEMP%\Center73946.dat

On a subset of samples compiled in 2014, Sakula invoked the default web browser, which loaded a hard-coded URL. This action occurred after the seemingly legitimate application (discussed in the Delivery section) finished installing. Of the following URLs hard-coded within the malware, only the first three appeared to be under the adversary's control:

• http:// www . qzbwcq . com/cookie.html
• http:// sharepoint-vaeit . com/login.php?ref
• http:// extcitrix . we11point . com/vpn/index.php?ref=1
• https:// portal . caci . com/
• https:// webmail . mfa . gov . mn/
• http:// cabinet . gov . mn/mfa-gov/Success.html
• http:// www . bisononthevinayerd . org/BisonOntheVineyard.pdf

Capabilities

Sakula obfuscates many of its strings using single-byte XOR obfuscation. Samples with a 2012 compile timestamp use a key value of either 0x88 or 0x56. Samples compiled in 2013 and 2014 use a key value of 0x56, while the lone 2015 sample uses 0x57.

Core functionality across all Sakula samples is fairly consistent. While there are some minor differences among the samples, Sakula typically implements eight commands (see Table 3).

Table 3. Command functionality available in Sakula samples analyzed by CTU researchers.

The "OR" in Table 3 indicates that the feature for that case varied by sample. For Case 2, the randomly named file is generated each time the command is used. It is sourced from a call to GetTickCount and is appended with ".exe". Case 8 was observed in samples compiled in mid-2013, with the Sleep command introduced in the only 2015 sample identified as of this publication.

Command and control

Sakula uses HTTP GET and POST for command and control, with most samples configured with only one C2 server. The network communications are encoded with the single-byte XOR keys listed in Table 4.

Table 4. Single-byte XOR keys used to decode network traffic.

The URI patterns used to communicate with the C2 server are fairly consistent across all samples regardless of compile time. Table 5 lists a breakdown of format by HTTP method in the analyzed Sakula samples.

Table 5. Sakula URI formats by HTTP method. URIs using %s insert a string of characters, and %d insert digits.

Sakula uses hard-coded User-Agents in its C2 communications but did not mimic standard browser User-Agents until 2014:

• iexplorer
• Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+SV1)
• Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Conclusion

The Sakula RAT has been in use since 2012 with very few changes to the code base, which indicates that it is effective in targeted intrusions. Simplistic in nature, the small command set for Sakula allows its operator to actively control a compromised system, download and execute additional components, and hide in plain sight with single-byte XOR-encoded HTTP GET and POST C2 communications.

Threat indicators

The threat indicators in Table 6 can be used to detect activity related to Sakula. The IP addresses and domains may contain malicious content, so consider the risks before opening them in a browser.

Table 6. Threat indicators for Sakula.