Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150828-270-Dell SecureWorks-Sakula
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 28 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report details a Remote Access Tool named Sakula also known as Sakurel
and VIPER. This RAT has been in use since 2012.
(S//NF) Sakula has been observed being delivered in a strategic web compromise that used the
CVE-2014-0322 vulnerability when it was still a zero-day in Internet Explorer. Some variants
have also been digitally appearing as legitimate software.
(S//NF) This RAT either sets a registry key or installs itself as a service to maintain persistence.
The report states that UAC bypass is achieved via running a dll however no further details are
provided. Sakula uses HTTP GET and POST communications for command and control (C&C).
Network communications are obfuscated using single-byte XOR encoding. This same technique
is also used to obfuscate strings and files in the malware.
(S//NF) In conclusion, Sakula is a very simplistic RAT that hides its traffic by XOR encoding the
data. No new techniques worthy of a PoC were presented.
2.0 (U) Description of the Technique
(S//NF) No techniques are recommended for PoC development.
3.0 (U) Identification of Affected Applications
(U) Windows, Internet Explorer
4.0 (U) Related Techniques
(S//NF) RAT
5.0 (U) Configurable Parameters
(U) None
6.0 (U) Exploitation Method and Vectors
(S//NF) Sakula is delivered using a strategic web compromise leveraging CVE-2014-0322, an
Internet Explorer vulnerability.
7.0 (U) Caveats
(U) None.
8.0 (U) Risks
(S//NF) Not applicable because we do not recommend any techniques for PoC development.