Sakula

Sakula is a threatening Remote Access Trojan (RAT) that provides attack capabilities to hackers, such as shell command support and downloading or uploading files. Its most infamous deployments include attacks against US federal employee databases and health insurance companies. Users can protect themselves by tending to their Web-browsing security protocols, avoiding unsafe e-mail interactions, and keeping advanced anti-malware tools for deleting Sakula on its detection.

Chinese Trojans Accomplishing a Lot by Doing a Little

Specialization of features can make even the narrowest of RATs into a non-ignorable threat to multinational companies or even well-funded governments. Sakula has been demonstrating just that fact since 2012, as a hacking tool with functions that exert control over the system while keeping the Trojan out of the user's sight. While its apparent developer, Yu Pingan, suffered an arrest in 2017, there's nothing about Sakula's software that implies that it's no longer capable of doing its job.

Sakula's history encompasses attacks stealing eighty million medical records from the Anthem health insurance firm and the personal details of twenty-five million US government workers, among others. The Remote Access Trojan is a known tool of APT19, AKA Deep Panda, as well as Aurora Panda. Unlike most RATs, which use crafted e-mail infection vectors, Sakula is more often the result of the victim's visiting an infected website. The drive-by-download offers a fake executable for programs like Microsoft's Hotfix, Adobe's Self Extractor or the Security Exchange Mail Exchange ActiveX Control.

After getting aboard and altering the Registry for its persistence, Sakula reports to its C&C server and awaits further instructions. These relayed commands can facilitate attacks such as:

• Executing shell commands
• Uploading files (specified by path)
• Downloading and executing files
• Creating a CMD-based shell for remote administration
• Self-uninstallation
• Hibernation

Steering Your Browser Away from Trojan Pitfalls

Just as hunters might trap specific locations for catching desirable prey species or vermin, Sakula's campaign doesn't utilize randomly-selected websites. Websites compromised to spread the Trojan involve highly-targeted traffic and take advantage of regional and industry-specific content. As previously noted, Sakula also uses the brands and names of well-known software, which helps with tricking workers into enabling the threat, supposedly, to see the rest of the website's unavailable content.

Like nearly all RATs, Sakula is a high-level threat without many symptoms, except in the eyes of the cyber-security specialists looking for specific indicators of compromise. Since Sakula's history includes significant lateral traversal throughout workstations, users should disable Internet connectivity and isolate any machines from the rest of the network. Professional anti-malware tools should detect the intrusion and remove Sakula as needed.

Yu Pingan's encounter with law enforcement does little for stopping the ongoing security risk that Remote Access Trojans represent to the world. Sakula leverages its humble position to the utmost, with the price of allowing it free reign being evident: virtually unlimited amounts of sensitive data can end up in the wrong hands.