Dangerous ‘Skeleton Key’ Malware Discovered by Researchers

Researchers from Dell SecureWorks recently discovered a sophisticated malware variant which allows hackers to authenticate themselves as any user on a Windows Active Directory server using any password once the network has been infiltrated using stolen login credentials. Based on the malware analysis offered by Dell, it appears that Skeleton Key – as named by the Dell researchers responsible for discovering the malware – was carefully designed to do a specific job. This malware is deployed using an in-memory process ‘patch’ that uses the compromised admin account used to access the system in the first place.

By using an in-memory process patch, the malware generates no network traffic and is very difficult to catch as a result. This authentication bypass technique applies to all services relying on single-factor authentication via Active Directory. This includes sensitive services like VPN and Web mail among others. Although this threat is concerning, it is difficult to determine exactly what the purpose of this malware is because a hacker would already need admin credentials to access the server prior to deploying Skeleton Key. In other words, it is redundant and has left security researchers questioning the need for such a program. The best guess at this point is that Skeleton Key is designed for long term attacks in which hackers are using regular user accounts from within the network to avoid detection.

Furthermore, the complexity of the malware could point to development by a nation state deploying Skeleton Key as part of a larger campaign with yet unknown targets.

That said, records found within the intercepted malware files indicate that Skeleton Key has been deployed in many organizations, not just the one in which Dell researchers discovered the malware (the affected network was not named in Dell’s published analysis report). There are two weaknesses inherent to Skeleton Key.

skeleton key malware

First, the malware disappears if the Active Directory controller is rebooted. Although a hacker already inside the network could simply re-deploy the malware after a reboot, the chances of detection increase. Second, Skeleton Key only works on certain versions of Windows Server. Specifically, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2. New versions of Windows Server are not affected by this malware and neither are 32-bit versions of the OS. It seems that Skeleton Key is the latest in a growing list of complex malware campaigns most likely backed by an unknown government entity.

Protecting the network from this threat is best accomplished by properly managing administrative accounts. Using two-factor authentication for these accounts, for instance, is probably the best way to avoid infiltration.

Obviously, a strong password policy is also a good idea as it is much more difficult for hackers to guess or brute-force complex passwords. Dell researchers also recommend monitoring Windows Service Control Manager Events on the Active Directory controller for signs that a Skeleton Key breach may already have occurred.  As always, ensure all of the latest OS and applications updates are installed regularly to further prevent Skeleton Key infiltration and any associated damage it may cause.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal