Skeleton Key Malware modifies the Active Directory authentication process

Dell SecureWorks detected the Skeleton Key malware, which modifies authentication process on Active Directory (AD) systems protected by only passwords.

The experts at Dell SecureWorks Counter Threat Unit(TM) (CTU) have recently discovered a malware dubbed Skeleton Key that bypasses single-factor authentication on Active Directory (AD) systems. The attackers can use to have total access to remote access services with a password of their choosing to authenticate as any user.

The researchers at CTU have discovered the Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, the malware is deployed as an in-memory patch on a targeted AD domain controllers to allow attacker to authenticate as any user, while legitimate users can continue to authenticate without noticing the infection.

Attacks which implements the modification of the authentication process are rarely observed by security experts and CTU researchers confirmed they haven’s seen similar malware targeting Active Directory before.

“Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.” states a blog post published by CTU.

In order to spread the Skeleton Key the attacker requires have domain administrator credentials, circumstance common when criminal crews stole stolen credentials from victims or acquire them on the underground market.

“What raises the alarm about the Skeleton Key malware is that it enables the adversary to trivially authenticate as any user, using their injected password, this could give them access to the target’s webmail or VPN if that was relying upon AD for authentication,” explained Don Smith, CTU director of technology, at securityweek.com “Consequently, the threat actors can get access to the victim’s email correspondence and network files. This activity looks like – and is – normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy.”

The samples of malware analyzed by the experts at CTU lack persistence, this means that threat actors need to re-deployed the malicious agent every time the domain controller is restarted.

“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers,” continues the post. “Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.”

The researchers discovered that attackers used the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The attackers choose a password for their authentication, then it is formatted as an NTLM password hash and it is provided in clear text.

CTU researchers explained that network traffic analysis is ineffective, anyway, it could be detected because it is associated with domain replication issues that may indicate an infection.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” CTU researchers blogged. “These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”

CTU researchers have no doubts about the abilities of malware authors, Skeleton Key malware was the results of specialists with a “reasonable degree of skill.”

In order to detect the presence of the Skeleton Key malware, Dell SecureWorks recommends organizations use multi-factor authentication for access to its services, monitor processes running on workstations and servers and monitor Windows Service Control Manager events on Active Directory domain controllers.

Pierluigi Paganini

(Security Affairs – Skeleton Key, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.