An attack tool used in an ongoing cyber-espionage operation gives digital spies a backdoor into the affected network and allows them to retain control in a nearly undetectable way, according to research published by managed-security firm Dell Secureworks on Jan. 13.
For more than two years, the program, dubbed ‘Skeleton Key,’ appears to have resided on a critical server—known as a domain controller—and allowed any attacker with a secret key to log in to the victim’s network by donning the identity of any valid user. When attackers infiltrate a company’s network, the next challenge typically is to retain control of compromised accounts and systems without being detected, and Skeleton Key makes that happen, according to the published analysis.
While not a program that compromises systems itself, the malware acts as a secret gatekeeper, circumventing the access controls normally put in place by a domain controller, Don Smith, director of technology for the counter-threat unit (CTU) at Dell Secureworks, told eWEEK.
“The adversary could inject the Skeleton Key and then, in a very, very stealthy way, move around the network with totally unfettered access to the organization’s content,” he said. “The access that it gives them is massive.”
Once installed on an Active Directory domain controller, Skeleton Key allows users to log in as normal, but if any user name is entered along with the attacker’s secret password, then the attacker will be logged in as that user, Dell Secureworks said. While the program requires attackers to already have access to the network and valid domain administrator credentials, it does allow attackers to easily log in to the victim’s systems and steal data, the report stated.
So far, only a single case of the malware has been found, according to Dell Secureworks’ Smith. An administrator working at the affected company, which Smith declined to name, noticed user activity during odd hours and flagged the managed-security provider. After analyzing the issue, the company focused on the domain controller and eventually found the malware.
Skeleton Key only resides in memory and is not written to disk, making it even more difficult to detect, but also requiring the attackers to reinstall it, if the domain controller is restarted.
“The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted,” the report stated. “CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers.”
When the victim company restarted its server, Skeleton Key was reinstalled somewhere between eight hours and eight days later.
The program likely had control of the domain controller inside the targeted company for more than two years, according to Smith. An older version of the program with a September 2012 compile date was found on another system inside the firm, he said.
While no other similar malware has been found in other companies, the program appears to be part of a larger campaign, Smith said. The passcode for access to the network had been set to the name of the domain controller, followed by an “@” symbol, followed by a code name for the victim. Such a scheme would not be necessary if only a single company had been targeted, Smith said.
“The form of that password makes me believe they had other victims,” he said.