Skeleton-Key

Skeleton Key is dangerous malware that targets 64-bit Windows machines that are protected with a single-factor authentication method

Skeleton Key is a stealthy virus that spawns its own processes post-infection

Skeleton Key is a Trojan that mainly attacks corporate networks by bypassing the Active Directory authentication systems, as it abuses the single-factor authentication function. In other words, those who use a single password to access their Windows machines connected to a network are in particular danger of being infected with Skeleton Key malware. The malicious actors behind the malware strain can simply use any password and log in as any user, all while not impacting the access of other users connected to the same network.

As soon as the Skeleton-Key virus is installed, it gains access to systems’ e-mail and the VPN services and starts harvesting information on the infected device. In such a way, users’ passwords, credit card information, and other sensitive data can be easily compromised. The best way to protect yourself from Skeleton-Key malware is to enable two-factor authentication instead of using a simple password for computer protection. Luckily, Skeleton Key is relatively flawed, so its prevalence is limited.

While Skeleton Key is a relatively primitive piece of malware and has shortcomings, its infection on the system could be devastating due to excessive information gathering, and numerous companies could face significant monetary and intellectual property losses due to it. Those infected should immediately remove Skeleton Key Trojan from their computes and networks immediately using the most up-to-date security software.

Unlike most of the modern-day malware, Skeleton Key infection requires an already compromised machine or access on the network via a malicious employer. In other cases, the Trojan can be deployed with the help of already installed malware. The analysis performed by Dell Secureworks researchers concluded^[1] that Skeleton-Key needs to be familiar with the environment before the intrusion. Hackers need to have access to:

• memory of another server on the network
• targeted domain controllers
• domain administrators’ workstations

Once deployed, the Skeleton Key virus inserts the malicious ole64.dll file into WINDOWS\system32\ directory and uses PsExec^[2] utility to launch itself remotely. Hacker’s password is generated in an NTLM format rather than plain text, allowing him/her to log in as any user on the network and then move laterally. After the intrusion, the malicious DLL file is deleted from the machine.

Skeleton Key is a type of malware that can bypass single-factor authentication to access Windows machines and steal sensitive data

Skeleton Key weaknesses include its inability to infect 32-bit-based Windows systems and Windows server versions beginning 2012, as well as not monitoring network traffic on the host. Additionally, one of the main downfalls of the malware is that it needs to be reinstalled each time the server is rebooted in order to perform operations on the host.

According to researchers, malicious actors managed to infect multiple organizations with Skeleton Key. While the infection is relatively old, it can still be used by hackers and might also be improved to include more functions.

For Skeleton Key removal, victims need to install anti-malware software which could detect the malicious DLL file as well as its code injections into the LSASS process’s memory. In the case of system malfunctions post-removal, users should scan their machines with Reimage Reimage Cleaner .

Organisations should protect their networks accordingly

Security researchers reported that Skeleton Key needs to be familiar with the environment where the target computers are located. For example, a malicious employee who was bribed or contacted by hackers could access corporate computers and infect them with malware. Unfortunately, the key characteristic of the infection is stealth, and one person who is not fair is enough to compromise an entire network and compromise even the most sensitive corporate data.

Thus, security researchers advise to take countermeasures to prevent data-stealers:

• Implement multi-factor authentication^[3] methods for regular computer access, as well as remote email services and the VPN;
• Security personnel should conduct audits that check from unexpected appearance of PsExec.exe, rundll32.exe and process arguments similar to NTLM hashes;
• Protecting their networks with comprehensive security solutions;
• Ensuring integrity of the employees by conducting security training sessions.

While Skeleton Key lacks in persistence, it is a threat that should be ignored, as it might result in corporate data leak

Skeleton Key virus removal

Skeleton Key removal can be a real challenge as it deletes its main executable file post-infection and barely leaves any traces. However, finding these traces manually can only be done by professional IT experts. Most of the modern-day solutions should be able to track and detect the initial .dll file and even stop its further expansion. Nevertheless, for Skeleton-Key removal, users should employ anti-malware software and run a full system scan.

Note that in some cases, Skeleton key virus might not be the only threat residing on the system, as often happens with Trojans. Therefore, it is possible that anti-malware software might be stopped by those threats in the first place. If that happens, users should access Safe Mode with Networking and perform a full system scan from there.