Skeleton Key is dangerous malware that targets 64-bit Windows machines that are protected with a single-factor authentication method
Skeleton Key is a stealthy virus that spawns its own processes post-infection
Skeleton Key is a Trojan that mainly attacks corporate networks by bypassing the Active Directory authentication systems, as it abuses the single-factor authentication function. In other words, those who use a single password to access their Windows machines connected to a network are in particular danger of being infected with Skeleton Key malware. The malicious actors behind the malware strain can simply use any password and log in as any user, all while not impacting the access of other users connected to the same network.
As soon as the Skeleton-Key virus is installed, it gains access to systems' e-mail and the VPN services and starts harvesting information on the infected device. In such a way, users' passwords, credit card information, and other sensitive data can be easily compromised. The best way to protect yourself from Skeleton-Key malware is to enable two-factor authentication instead of using a simple password for computer protection. Luckily, Skeleton Key is relatively flawed, so its prevalence is limited.
|Name||Skeleton-Key, Skeleton Key|
|Type||Malware, Trojan, keylogger|
|Intrusion||hackers use domain administrator credentials as a primary infection vector; alternatively, the virus can be deployed with the help of an already installed malware|
|Malware sample||Security researchers analyzed Skeleton Key sample that was named ole64.dll|
|Other elated files||ole.dll, .msuta64.dll|
|Systems affected||64-bit Windows versions only|
|Associated risks||Loss of personal data, identity theft, loss of intellectual property, financial losses, infiltration of other malware|
|Removal||Get rid of the infection by using the most up-to-date anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes|
|Recovery||Reimage Reimage Cleaner Intego can be used to fix virus damage|
While Skeleton Key is a relatively primitive piece of malware and has shortcomings, its infection on the system could be devastating due to excessive information gathering, and numerous companies could face significant monetary and intellectual property losses due to it. Those infected should immediately remove Skeleton Key Trojan from their computes and networks immediately using the most up-to-date security software.
Unlike most of the modern-day malware, Skeleton Key infection requires an already compromised machine or access on the network via a malicious employer. In other cases, the Trojan can be deployed with the help of already installed malware. The analysis performed by Dell Secureworks researchers concluded that Skeleton-Key needs to be familiar with the environment before the intrusion. Hackers need to have access to:
- memory of another server on the network
- targeted domain controllers
- domain administrators' workstations
Once deployed, the Skeleton Key virus inserts the malicious ole64.dll file into WINDOWS\system32\ directory and uses PsExec utility to launch itself remotely. Hacker's password is generated in an NTLM format rather than plain text, allowing him/her to log in as any user on the network and then move laterally. After the intrusion, the malicious DLL file is deleted from the machine.
Skeleton Key is a type of malware that can bypass single-factor authentication to access Windows machines and steal sensitive data
Skeleton Key weaknesses include its inability to infect 32-bit-based Windows systems and Windows server versions beginning 2012, as well as not monitoring network traffic on the host. Additionally, one of the main downfalls of the malware is that it needs to be reinstalled each time the server is rebooted in order to perform operations on the host.
According to researchers, malicious actors managed to infect multiple organizations with Skeleton Key. While the infection is relatively old, it can still be used by hackers and might also be improved to include more functions.
For Skeleton Key removal, victims need to install anti-malware software which could detect the malicious DLL file as well as its code injections into the LSASS process's memory. In the case of system malfunctions post-removal, users should scan their machines with Reimage Reimage Cleaner Intego.
Organisations should protect their networks accordingly
Security researchers reported that Skeleton Key needs to be familiar with the environment where the target computers are located. For example, a malicious employee who was bribed or contacted by hackers could access corporate computers and infect them with malware. Unfortunately, the key characteristic of the infection is stealth, and one person who is not fair is enough to compromise an entire network and compromise even the most sensitive corporate data.
Thus, security researchers advise to take countermeasures to prevent data-stealers:
- Implement multi-factor authentication methods for regular computer access, as well as remote email services and the VPN;
- Security personnel should conduct audits that check from unexpected appearance of PsExec.exe, rundll32.exe and process arguments similar to NTLM hashes;
- Protecting their networks with comprehensive security solutions;
- Ensuring integrity of the employees by conducting security training sessions.
While Skeleton Key lacks in persistence, it is a threat that should be ignored, as it might result in corporate data leak
Skeleton Key virus removal
Skeleton Key removal can be a real challenge as it deletes its main executable file post-infection and barely leaves any traces. However, finding these traces manually can only be done by professional IT experts. Most of the modern-day solutions should be able to track and detect the initial .dll file and even stop its further expansion. Nevertheless, for Skeleton-Key removal, users should employ anti-malware software and run a full system scan.
Note that in some cases, Skeleton key virus might not be the only threat residing on the system, as often happens with Trojans. Therefore, it is possible that anti-malware software might be stopped by those threats in the first place. If that happens, users should access Safe Mode with Networking and perform a full system scan from there.
To remove Skeleton-Key, follow these steps:
Remove Skeleton-Key using Safe Mode with Networking
Go to Windows' Safe Mode with Networking to enable security software to work properly and remove Skeleton Key, as well as other malware:
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Skeleton-Key
Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Skeleton-Key removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Skeleton-Key and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.
The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login.
VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.