Earlier this week Dell SecureWorks Counter Threat Unit (CTU) published a detailed analysis of Skeleton Key. The malware was found on a client network that used single-factor authentication for access to webmail and its virtual private network (VPN), a scenario that allowed attackers “unfettered access” to remote access services, the CTU said.
“Skeleton Key is deployed as an in-memory patch on a victim's AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal,” researchers said of the malware's capabilities. “Skeleton Key's authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.”
Upon analysing the malware, researchers found two variants of Skeleton Key – a sample named “ole64.dll” found on the victim company's compromised network, and an older variant called “msuta64.dll,” which had debugging capabilities allowing attackers to see memory addresses involved in the victim's patching process, the CTU said.
In order to deploy Skeleton Key malware, attackers must first have access to domain administrator credentials.
“CTU researchers have observed threat actors deploying Skeleton Key using credentials stolen from critical servers, administrators' workstations, and the targeted domain controllers,” the threat analysis said.
In a Tuesday interview with SCMagazine.com, Don Smith, director of technology for the CTU, explained that the targeted organisation, a global company headquartered in London, was infected with a remote access trojan (RAT), in order to give attackers continued access.
“Given what we know about the organisation, it was extremely likely there was spear phishing involved,” Smith said, offering a scenario for how attackers may have gleaned admin credentials.
“It was definitely a targeted attack,” Smith continued, adding that the perpetrators kept a set of admin credentials for attack, which could be “constantly refreshed,” if needed. Smith also told SC that the Skeleton Key attacks could be characterised as a cyber-espionage campaign, and that the older malware variant appeared to be around two years old.
In its threat analysis, the CTU shared that Skeleton Key “does not have a persistence mechanism,” as evidenced by the fact that rebooting an infected system removes the malware's authentication bypass functionality. Researchers discovered this when they found that infection appeared to cause domain replication issues.
“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” the threat report said.
The presence of domain replication issues is one of several red flags organisations should be aware of when checking for signs of Skeleton Key infection, the CTU noted.
Entities can also use Yara signatures (provided in the Dell SecureWorks threat analysis) to search for malware or look for anomalous end-user or privileged user behaviour on systems. Skeleton Key doesn't generate network traffic, researchers noted, so network-based IDS and IPS solutions won't help with detection.
To prevent infection, organisations are advised to employ two-factor authentication for external facing services that rely on Active Directory for authentication, Dell SecureWorks CTU said.
The actions of Dell have been praised within the industry, with Trey Ford, Global Security Strategist at Rapid7, commenting in an email to press: "Dell Secureworks CTU team has set a wonderful example of how information sharing helps cyber-security teams in the real world. They've identified a tool that attackers use to bypass authentication controls on a Microsoft Windows network.