Winnti trojan may help set stage for Skeleton Key attacks, analysts say


Researchers believe that a backdoor trojan, called “Winnti,” may have been used in conjunction with new malware, dubbed “Skeleton Key” ndash; which installs itself as an in-memory patch on Active Directory domain controllers.

Earlier this month, researchers at Dell SecureWorks Counter Threat Unit (CTU) uncovered Skeleton Key, noting that the malware was capable of bypassing authentication on Active Directory (AD) systems that used only a passwords, or single-factor auth, for access.

To deploy the malware, however, attackers required access to domain administrator credentials, the firm said – which may explain new evidence from Symantec that backdoor Winnti was on a computer infected with Skeleton Key (detected by Symantec as "Trojan.Skelky").

“There were almost no signs of other malware active at the same time as Skelky in most of the organizations investigated,” Gavin O'Gorman, a researcher at Symantec, said in a Thursday blog post. “However, two compromised computers had other malware present, active, and in the same directory, at the same time as Trojan.Skelky,” he explained.

Of note, Symantec found two malicious files on one of the victim's computers. One file was a variant of Winnti, and another was a dropper for the backdoor, O'Gorman wrote.

In a Thursday interview with, Eric Chien, senior technical director at Symantec, said that initial reports about Skeleton Key were “missing a puzzle piece,” which may be the backdoor trojan Winnti that researchers eventually stumbled across.

“How did [Skelky] get on there, since by itself it was sort of useless? Through our telemetry, we are seeing that [attackers] were also using Winnti in combination with Skelky. It allowed them remote access on the machine to do whatever they want, like installing Skelky,” Chien explained.

When Dell SecureWorks discovered Skeleton Key, researchers revealed that a targeted organization in London had been infected with a remote access trojan in order to give attackers continued access.

It's worth nothing too that, in 2013, security firm Kaspersky described attack methods of Winnti operators, and said that, in one instance, a malicious DLL was found on a computer game publisher's update server. The DLL “contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote Administration Tool (RAT), which gave the cybercriminals the ability to control the victim computer without the user's knowledge,” the Kaspersky blog post said.

In his interview with, Symantec's Chien said that, since Winnti's targets have included companies in a variety of industries – like electronics manufacturers, non-profits, and gaming companies – it's unclear whether the backdoor is being used by one group, or multiple.

In its blog post, Symantec published the file names and hashes associated with the Skeleton Key malware and backdoor Winnti samples it analyzed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.