The Sakula RAT (Remote Access Trojan) is a threat that has been annoying users since 2012. As most threats of this type, it allows its operators to gain some remote control over the infected host. Malware experts believe that the Sakula RAT originates from China and is likely a creation of the infamous Aurora Panda APT (Advanced Persistent Threat) in cooperation with the Deep Panda group. It appears that the Sakula RAT has already been employed in various campaigns with high-profile targets in government and medical institutions, as well as corporations involved in the technology and aerospace industry.
Among the propagation methods used in the spreading of the Sakula RAT are bogus application installers, which were masked as legitimate services. Some of the legitimate applications that the Sakula RAT was masquerading as are the ActiveX Plugins, Adobe Updater, Microsoft Update/Hotfix and ActiveX Controls.
Persistence and Capabilities
Once the Sakula Trojan manages to infect a host, it will make sure to gain persistence by tampering with the Windows Registry immediately. Alternatively, the Sakula RAT creates a fake Windows Service that is programmed to start as soon as the operating system boots up. The services are named after popular software suites to make them look legitimate - e.g. 'Office Auto Update' or 'Apple Service.' When this is completed, the Sakula RAT will establish a connection with the attackers C&C (Command & Control) server.
The Sakula RAT is able to:
- Upload files.
- Download files.
- Execute files.
- Change the address of the C&C server.
- Execute remote shell commands.
Thanks to the fact that the Sakula RAT is seven years old, it does not possess some of the new features that more contemporary RATs have and is not as threatening as them. However, it is still not to be underrated as it has the capacity to cause significant damage to an infected host. You should make sure you have installed a reputable anti-virus solution that will keep your system safe.