Sakula is a remote access tool associated with multiple APT campaigns. Once it infects a victim machine, Sakula can perform many tasks including launching remote shells, enumerating processes and downloading files. In this blog post, we will discuss how to detect Sakula C2 beaconing activity.
Sakula variants try to connect to their C2 domains or C2 IP addresses using HTTP GET and POST requests. Below is a screenshot of reconstructing one of the sessions in RSA Security Analytics:
The User-Agent string in this session stands out and could be used to develop an app rule:
Applying this rule in Security analytics shows that the UA string is used to beacon to C2 domains from multiple infected machines in RSA FirstWatch malware analysis systems:
Although the UA string above is commonly used by Sakula, we have seen samples that follow the same URL pattern but with a totally different UA string. So it is better to develop an app rule that focuses on the URL elements. Assuming the appropriate meta keys are enabled, the following query can be used:
extension = 'asp','jpg' && query begins 'imageid=','cstring=','resid='
Scan results for a Sakula variant can be viewed here.
Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.