Researchers from the Dell Secureworks CTU team have unearthed a new type of malware whose goal is to allow attackers to bypass authentication on Active Directory (AD) systems by enabling them to use any random password. They dubbed the malware “Skeleton Key.”
“CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services,” they shared.
“Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.”
The good news for targets is that Skeleton Key is an in-memory patch which gets remove each time a domain controller is rebooted. Still, in this particular case, the attackers have deployed other remote access malware on the network, which allowed them to redeploy Skeleton Key every time it got deleted.
“Skeleton Key requires domain administrator credentials for deployment,” the researchers noted, adding that the attackers used credentials stolen from critical servers, administrators’ workstations, and the targeted domain controllers.
Apparently, the researchers also found a pattern that suggests that these same attackers used Skeleton Key in the networks of multiple other organizations.
“The Skeleton Key malware does not transmit network traffic, making network-based detection ineffective. However, the malware has been implicated in domain replication issues that may indicate an infection,” they noted, and shared YARA signatures designed to detect a Skeleton Key DLL and the code it injects into the LSASS process’s memory. They also provided MD5 hashes for detecting the malware’s DLL files.
“Dell Secureworks CTU team has set a wonderful example of how information sharing helps cyber security teams in the real world,” Trey Ford, Global Security Strategist at Rapid7, commented this release.