Open Hunting - Threat Library

Openhunting Threat Library

Sality

Sality, Sector, Kuku, SalLoad, Kookoo, SaliCode, Kukacka

(Type: Botnet, Worm, Downloader, Loader)

(Cylance) The Sality virus infects local executables, removable storage, and remotely shared drives. It creates a peer-to-peer botnet which facilitates the downloading and execution of other malware. Sality can perform malicious code injection and modify its entry point to force code execution. This malware remains viable by adopting the successful strategies of other threats, implementing techniques like rootkit/backdoor capability, keylogging, and worm-like propagation.

[News Analysis] Trends:

Total Trend: 9

Trend Per Year

2011

2015

2017

2020

2021

2022

Trend Per Month

Jul 2011

Dec 2015

May 2017

Oct 2017

May 2020

Oct 2021

Apr 2022

Jul 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

0/36

persistence

0/113

privilege escalation

0/96

defense evasion

0/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

2/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
											T1573.002 Encrypted Channel : Asymmetric Cryptography T1090.003 Proxy : Multi-hop Proxy

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp
http://89.119.67.154/testo5/	2023-10-30
http://kukutrustnet777888.info/	2023-10-30
http://klkjwre77638dfqwieuoi888.info/	2023-10-30
http://www.klkjwre9fqwieluoi.info/	2023-10-30

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators

2022-07-14 by Sam Hanson from Dragos

AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

2022-04-20 by CISA from CISA

Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

2022-04-20 by CISA from CISA

Portable Executable File Infecting Malware Is Increasingly Found in OT Networks

2021-10-27 by Ken Proska from Mandiant

Using AI to Detect Malicious C2 Traffic

2020-05-24 by Ajaya Neupane from Palo Alto Networks Unit 42

Sality Configuration Extractor (sality_extractor.py)

2017-10-29 by quangnh89 from

Botnet Protocol Inference in the Presence of Encrypted Traffic

2017-05 by Lorenzo De Carli from IEEE

Sality: 2003 - Today

2015-12-02 by Peter Kleissner from Botconf

Sality: Story of a Peerto-Peer Viral Network

2011-07 by Nicolas Falliere from Symantec

Basic Information (Credit @etda.or.th)

Tool: Sality

Names: Sality, Sector, Kuku, SalLoad, Kookoo, SaliCode, Kukacka

Description: (Cylance) The Sality virus infects local executables, removable storage, and remotely shared drives. It creates a peer-to-peer botnet which facilitates the downloading and execution of other malware. Sality can perform malicious code injection and modify its entry point to force code execution. This malware remains viable by adopting the successful strategies of other threats, implementing techniques like rootkit/backdoor capability, keylogging, and worm-like propagation.

Category: Malware

Type: Botnet, Worm, Downloader, Loader

Information: https://threatvector.cylance.com/en_us/home/cylance-vs-sality-malware.html

Information: https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf

Information: https://en.wikipedia.org/wiki/Sality

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Sality

Last-card-change: 2020-05-24

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

URL

http://89.119.67.154/testo5/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
http://www.klkjwre9fqwieluoi.info/

SHA256_HASH

2eb74de9b3c016d03b96378e59557a6524918745c9c48df2a5a7ea5ca92d375a
513c36f4a21c7ebf125fe36b98fb2c065898b9f543a6e8dbbf3f9a041c5b86fa
33f8b063fa9eef4d6e83779a5f93c4ca9b8597c4e328ff0f789cbde0d72d24d0
4444e65841972ce81243575afa168ebbe54e7cc2db6aa34d996f53a6b2d99043
85e576aba88b0b3805d924e344feff58c27992d02675ba86126b88cb790afb7c
4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
cea7a79f688fe24df1c614bc6fdcb281c056f882307e2b9f7841dca56ae923f0
f66117bb7aff5ea3fb4241a5477edebc1f84844376b56b3c6ba6f5de7004d4c7
1e21f175cd66fe91b5ff770b1e74c61b2df04c13044388e36dfd3d0768c9e6e5
bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
											T1573.002 ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY tor encapsulates traffic in multiple layers of encryption, using tls by default. T1090.003 PROXY : MULTI-HOP PROXY traffic traversing the tor network will be forwarded to multiple nodes before exiting the tor network and continuing on to its intended destination.