‘Skeleton Key’ Malware Bypasses Authentication on AD Systems

Researchers at Dell SecureWorks’ Counter Threat Unit (CTU) have discovered malware that sidesteps authentication on Active Directory (AD) systems protected only by passwords.

Dubbed ‘Skeleton Key’, the researchers found the malware on a client network that used single-factor authentication for access to webmail and VPN – giving the threat actor total access to remote access services. According to CTU, the malware requires an attacker have domain administrator credentials in order to be deployed, and has been observed being used by attackers who have stolen credentials from critical servers, administrators’ workstations and the targeted domain controllers.

“What raises the alarm about the Skeleton Key malware is that it enables the adversary to trivially authenticate as any user, using their injected password, this could give them access to the target’s webmail or VPN if that was relying upon AD for authentication,” said Don Smith, CTU director of technology. “Consequently, the threat actors can get access to the victim’s email correspondence and network files. This activity looks like – and is – normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy.”

According to Dell SecureWorks, Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers. The only known Skeleton Key samples lack persistence and must be redeployed when a domain controller is restarted.

“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers,” according to the company. “Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.”

The attackers use the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The malware does not transmit network traffic, making network-based detection ineffective, the researchers noted. However, the malware has been implicated in domain replication issues that may be proof of an infection.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” CTU researchers blogged. “These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”

Dell SecureWorks recommends organizations use multi-factor authentication for all remote access solutions, monitor Windows Service Control Manager events on Active Directory domain controllers and be mindful that process creation audit trails on workstations and servers, including AD domain controllers, may detect Skeleton Key deployments.

“Modification of the authentication process is rarely observed in the Windows world, and the CTU has not seen similar malware targeting Active Directory before,” Smith said. “The hackers behind the Skeleton Key malware would definitely require a reasonable degree of skill.”