Sakula

Sakula is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Sakula has the potential to steal personal information, disrupt operations, or hold data for ransom. The malware manifests as an ".EXE" file and embeds itself into the system. It communicates with its command and control servers (C2) using obfuscated traffic, which is encrypted with a single byte XOR key of "0x56". Notably, Sakula samples were found to contain both 32-bit and 64-bit DLL files obfuscated in their resource sections. The existence of Sakula was first brought to public attention by cybersecurity firm CrowdStrike in a blog post titled 'Sakula Reloaded'. Detailed analysis of this malware was also provided by Dell SecureWorks in their article 'Sakula Malware Family'. However, during the investigation of a different malware sample in Forensic Threat Analysis (FTA) #1020, significant differences were observed when compared to the known characteristics of Sakula. The malware analyzed in FTA #1020, unlike Sakula, manifested as a ".DLL" file. Due to these distinctive characteristics, it was decided that this malware should be identified separately from Sakula. Consequently, it was given the name Hi-Zor. This distinction emphasizes the importance of thorough analysis in accurately identifying and categorizing new malware variants, which can significantly differ from previously documented versions.