Malware Couples with Backdoor Trojan

Monday, February 2, 2015 @ 05:02 PM gHale

A piece of malware focused on attacking Active Directory may actually have a connection to a separate malware family used in attacks against victims in the U.S. and Vietnam, Symantec researchers said.

“Symantec has analyzed Trojan.Skelky (Skeleton Key) and found that it may be linked to the Backdoor.Winnti malware family,” said Symantec researcher Gavin O’Gorman.

Botnets Continue their Rise
IBM Patches Mobile Offering
New Trojan for iOS
New OS X Botnet

“The attackers behind the Trojan.Skelky campaign appear to have been using the malware in conjunction with this back door threat,” he said in a blog. “It’s unclear if the malware family Backdoor.Winnti is used by one attack group or many groups”

Backdoor.Winnti has seen action in the past in a number of different campaigns, in particular against Asian gaming companies, Symantec said. Symantec does not know if one set of attackers or many are using the malware.

Earlier this month, researchers from Dell SecureWorks identified malware they called “Skeleton Key.” The malware was on a client network that used single-factor authentication for access to webmail and VPN – giving the attacker access to remote access services. The malware deployed as an in-memory patch on a victim’s Active Directory domain controllers, said researchers at Dell SecureWorks. In the cases they found, the attackers used the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command.

When Dell SecureWorks researchers revealed their data on Skeleton Key, they said the Skeleton Key samples lacked persistence and had to end up redeployed when a domain controller restarted. Between eight hours and eight days of a restart, the bad guys used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers, the researchers said.

According to Symantec’s telemetry, Skeleton Key malware was on compromised computers in five organizations with offices in the United States and Vietnam, O’Gorman said. Symantec does not know the exact nature and names of the affected organizations, however the first activity was in January 2013 and lasted until November 2013.

“In November 2013, the attackers increased their usage of the tool and have been active ever since,” O’Gorman said. “Four more variants of Trojan.Skelky were discovered as well as additional file names used by the attackers.”

Since the first observed use of the tool to the present, the attackers have consistently used the same password. This is the case with three different variants of the tool, O’Gorman said. The regular use of the same password across multiple variants means it is likely that only one group of attackers had been using the tool until at least January 2015, he said.

Leave a Reply

You must be logged in to post a comment.