14 DAY TRIAL // The Skeleton Key malware managed to stay behind the curtains of the threat scene for the past two years, until researchers at Dell SecureWorks discovered it in the network of one of its clients.
The threat has been used by attackers to bypass authentication on Active Directory (AD) systems with single-factor authentication. It allows them to log into the system as a legitimate user, but with a password of their choosing.
Skeleton Key was first detected in early 2013
Symantec carried out its own analysis on a sample of the malware and identified a connection with the Winnti backdoor, which was employed in multiple targeted attacks against companies all over the world.
Kaspersky alleges that the backdoor is handled by attackers specialized in compromising the computer networks of companies in the video game industry and it is leveraged for stealing source code and digital certificates.
Gavin Gorman from Symantec says about Skeleton Key (detected as Trojan.Skelky) that, during the past two years, the malware has evolved and new variants have emerged.
First signs of its activity were recorded in January 2013 and it did not pop on the radar again until November, the same year. Since then, the attackers have turned to it once more and used it on a frequent basis; four more versions have appeared since then.
“Symantec telemetry identified the skeleton key malware on compromised computers in five organizations with offices in the United States and Vietnam. The exact nature and names of the affected organizations is unknown to Symantec,” a blog post from Gorman said on Thursday.
Multiple groups may be using the two malware pieces
The connection between Skeleton Key and Winnti was made based on the fact that the attackers used the same password in three different variants of the malware, indicating that a single group was behind it.
Other threats were found on two of the systems compromised by the malware Skeleton Key, a variant of Winnti backdoor and a dropper for it. As both pieces were detected on the same systems, the conclusion that they are used in conjunction by the same actor can be drawn.
Symantec did not find evidence pointing to the conclusion that multiple groups of attackers could rely on these malware pieces, but it does not eliminate this possibility.