SKETONON KEY, a villainous malware that disguises a user by breaking authentication even without a password, is discovered

ByCyberHades

Dell SecureWorks,Active DirectoryMalicious software hacking by hiding in memory patch on domain controller on bypassing authenticationSkeleton Key"We have announced that we have discovered. Skeleton Key Malware resides secretly without affecting the usage of users logging in to the network, disguises as an arbitrary user, breaks authentication and has a danger of enabling remote control from the outside It is malware.

Skeleton Key Malware Analysis | Dell SecureWorks
http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/

'Skeleton Key' malware installed as in-memory patch on Active Directory DCs - SC Magazine
http://www.scmagazine.com/skeleton-key-bypasses-authentication-on-ad-systems/article/392368/

Insert 'Skeleton Key', unlock Microsoft Active Directory. Simples - hackers • The Register
http://www.theregister.co.uk/2015/01/13/skeleton_key_malware/

The Skeleton Key malware discovered by Dell SecureWorks is deployed in a memory patch on the domain controller of Active Directory, thereby bypassing the system authentication of the user who has the access right to the system and disabling the user authentication. As each user can log in to the system as usual and can do work, it is extremely difficult to notice the existence of resident Skeleton Key malware.

This is the information of "ole64.dll" which is one of the samples discovered from the network of a certain company which was damaged by Skeleton Key malware.


Another Skeleton Key malware sample "msuta64.dll". As these sample names suggest, Skeleton Key malware is known to work only on 64 bit Windows systems.


Since Skeleton Key malware enters Active Directory domain controllers requires Active Directory administrator privileges, Dell SecureWorks will investigate the situation of the affected company and deprive the important data from a specific targetSpear phishing(Phishing scam) that the suspicion that the administrator password was robbed is rich.


Although it is a horrible Skeleton Key malware that can be remotely controlled from the outside by making the user resident in the system to neutralize user authentication, according to Dell SecureWorks, fortunately the system infected with Skeleton Key malware Since restarting erases malware, it means that it will never stay permanently in the system.