ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool SkeletonKeyInjector

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: SkeletonKeyInjector

NamesSkeletonKeyInjector
CategoryMalware
TypeBackdoor
Description(CyCraft) The discovery of a related binary led us to initially believe the sample was a Dumpert. However, a more in-depth analysis revealed that the d3d11.dll sample implanted a skeleton key, where adversaries could persistently control (before the system reboot) the infected machine and machines under the infected AD. More specifically, the malware was an account manipulation tool that contained code extracted from both Dumpert and Mimikatz. We called this malware SkeletonKeyInjector. The malware employed a technique that altered the NTLM authentication program and implanted a skeleton key to allow adversaries to log-in without a valid credential. This allowed the adversary to achieve the following objectives:
● Persistence: After the code in memory was altered, the adversary could gain access to the compromised machines before the next system reboot. As AD machines are rarely rebooted, the adversary was able to control the machines for a very long time.
● Defense Evasion: Aside from the different login password and login algorithm scheme, there was no difference when compared to a normal login activity. Furthermore, normal users could still log-in to the system via their original password. Thus, the probability of being exposed was low.
● Lateral Movement: Adversaries could use the skeleton key to login to other machines that were in the same domain. This made it easier for an adversary to conduct lateral movement.
Information<https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf>

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

Previous: Sisron
Next: SkiBoot

All groups using tool SkeletonKeyInjector

ChangedNameCountryObserved

APT groups

 ChimeraChina2018-Oct 2019 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key