Malware, Network Security

‘Skeleton Key’ malware installed as in-memory patch on Active Directory DCs

Researchers have discovered malware, called “Skeleton Key,” which bypasses authentication on Active Directory (AD) systems using only passwords (single-factor auth) for access.

On Monday, Dell SecureWorks Counter Threat Unit (CTU) published a detailed analysis of Skeleton Key. The malware was found on a client network that used single-factor authentication for access to webmail and its virtual private network (VPN), a scenario that allowed attackers “unfettered access” to remote access services, the CTU said.  

“Skeleton Key is deployed as an in-memory patch on a victim's AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal,” researchers said of the malware's capabilities.“Skeleton Key's authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.”

Upon analyzing the malware, researchers found two variants of Skeleton Key – a sample named “ole64.dll” found on the victim company's compromised network, and an older variant called “msuta64.dll,” which had debugging capabilities allowing attackers to see memory addresses involved in the victim's patching process, the CTU said.

In order to deploy Skeleton Key malware, attackers must first have access to domain administrator credentials.

“CTU researchers have observed threat actors deploying Skeleton Key using credentials stolen from critical servers, administrators' workstations, and the targeted domain controllers,” the threat analysis said.

In a Tuesday interview with, Don Smith, director of technology for the CTU, explained that the targeted organization, a global company headquartered in London, was infected with a remote access trojan (RAT), in order to give attackers continued access.

“Given what we know about the organization, it was extremely likely there was spear phishing involved,” Smith said, offering a scenario for how attackers may have gleaned admin credentials.

“It was definitely a targeted attack,” Smith continued, adding that the perpetrators kept a set of admin credentials for attack, which could be “constantly refreshed,” if needed. Smith also told that the Skeleton Key attacks could be characterized as a cyberespionage campaign, and that the older malware variant appeared to be around two years old.

In its threat analysis, the CTU shared that Skeleton Key “does not have a persistence mechanism,” as evidenced by the fact that rebooting an infected system removes the malware's authentication bypass functionality. Researchers discovered this when they found that infection appeared to cause domain replication issues.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” the threat report said.

The presence of domain replication issues is one of several red flags organizations should be aware of when checking for signs of Skeleton Key infection, the CTU noted.

Entities can also use Yara signatures (provided in the Dell SecureWorks threat analysis) to search for malware or  look for anomalous end-user or privileged user behavior on systems. Skeleton Key doesn't generate network traffic, researchers noted, so network-based IDS and IPS solutions won't help with detection.

To prevent infection, organizations are advised to employ two-factor authentication for external facing services that rely on Active Directory for authentication, Dell SecureWorks CTU said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.