Dell SecureWorks Counter Threat Unit™ (CTU) researchers conducted a longitudinal analysis of the malware family called Sakula (also known as Sakurel and VIPER), which targeted organizations in multiple verticals. Since at least November 2012, the malware has given threat actors remote access to compromised systems.
In 2014, Sakula malware became publicly known when it was spotted being delivered via a compromised website hosting an exploit for a zero-day bug affecting Internet Explorer (CVE-2014-0322). The remote access trojan (RAT) is both dangerous and stealthy – a subset of variants are digitally signed, enabling them to bypass security controls and trick victims into thinking the malware is legitimate software. It uses HTTP GET and POST communication for command and control (C2), and obfuscates both its network communication and various strings and files with single-byte XOR encoding.
Symantec mentioned Sakula in a recent report on the ‘Black Vine’ collection of backdoors and network infrastructure. CTU researchers’ detailed technical analysis of Sakula includes information about its capabilities, as well as threat indicators that network defenders can use to identify the Sakula malware on the endpoint and network.