Skeleton Key Malware Opens Door to Espionage

The Skeleton Key malware bypasses single-factor authentication on Active Directory domain controllers and paves the way to stealthy cyberespionage.

Enterprise Active Directory administrators need to be on the lookout for anomalous privileged user activity after the discovery of malware capable of bypassing single-factor authentication on AD that was used as part of a larger cyberespionage campaign against a global company based in London.

Hackers already on the company’s network via a remote access Trojan (RAT) deployed what’s being called the Skeleton Key malware used to steal legitimate insider credentials in order to steal company data and exfiltrate it to the outside without raising many red flags.

Researchers at Dell SecureWorks would not identify the organization, nor provide any indication on the identity or location of the attackers, other than to say that it was not an “ecrime” operation and some of the documents taken would be of interest to entities on the “Pacific rim.”

Skeleton Key purposely lacks persistence, said Dell SecureWorks director of technology Don Smith. It is installed as an in-memory patch on an Active Directory domain controller and will not survive a reboot. Granted, Active Directory domain controllers such as the ones compromised in this attack, are not rebooted all that often.

“I don’t think it was a mistake [by the attackers]. The people concerned have the capability of making it persistent,” Smith said. “The lack of persistence characterizes the stealthy nature of this operation. If you make it persistent over a reboot, you have to leave something behind in the registry or elsewhere that will make it restart. This is super stealthy and this minimizes their footprint. They rely on their foothold elsewhere in the network, and jump in every time they need to.”

With access to Active Directory, the hackers can secure username-password combinations and use those credentials to remotely carry out the rest of their attack authenticated as legitimate users. In the case of the London firm, they were discovered on the network which used password-only authentication for its webmail and VPN remote access. Once inside, they were able to use credentials stolen from critical servers, admin workstations and domain controllers to drop Skeleton Key anywhere else on the network.

Dell SecureWorks posted a number of indicators of compromise and YARA detection signatures in a report published this week. A number of file names were also found associated with Skeleton Key, including one suggesting an older variant of the malware exists, one that was compiled in 2012.

Dell SecureWorks also said the attackers, once on the network, upload the malware’s DLL file to an already compromised machine and attempt to access admin shares on the domain controllers using a list of stolen admin credentials. If the credentials don’t work, they deploy password-stealing tools to extract admin passwords from memory of another server, the domain admin’s workstation or the targeted domain controllers, Dell SecureWorks said. With access to the controller, Skeleton Key’s DLL is loaded and the attackers use the PsExec utility to remotely inject the Skeleton Key patch and run the malware’s DLL remotely on the target domain controllers. The attackers then use a NTLM password hash to authenticate as any user.

The lack of persistence isn’t the only perceived weakness associated with Skeleton Key. Its deployment caused AD domain controller replication issues in regional offices that required a reboot. The frequent reboots were an indication that the attackers were re-implanting Skeleton Key, Smith said, which along with the presence of PsExec or TaskScheduler are other anomalous privileged user activities to be on the lookout for.

“This was from about just collecting passwords. Once they injected the hash, they could then walk up to any machine in the network, give any user name and their password and get in,” Smith said. “The bad guys used remote access to authenticate at will. I think that characterizes this attack as a long-running cyberespionage operation. There is a lot of information in the victim organization they’re looking for, and they want to maintain as low a profile as possible to evade discovery. All the espionage activity is carried out as an ordinary user. The challenge as a defender is the need to look for anomalous user behavior, which isn’t all that simple a task.”

Suggested articles