Skeleton key malware linked to backdoor Winnti

Researchers have found a link between backdoor malware and the "skeleton key" virus recently seen targeting Windows Server’s Active Directory.

The hackers behind Skelky, as the malware has been named, are thought to have deployed the backdoor Winnti after researchers found both viruses present on a number of computers.

Gavin O’Gorman, principal intelligence analyst at Symantec, wrote on the firm’s blog: "Backdoor.Winnti has been used in the past in a number of different campaigns, most notably against Asian games companies.

"Given the disparate nature of some victims, it’s unclear if the malware is used by one set of attackers, or many."

Symantec found that Skelky had hit five organisations in the US and Vietnam, though the nature and names of the victims have yet to be discovered.

The firm also said that hackers deployed the virus as early as January 2013, but did not begin sustained usage of it until November of that year, with the campaign ongoing ever since.

"From the first observed use of the tool in January 2013 to the present, the attackers have consistently used the same password," O’Gorman said. "This is the case with three different variants of the tool."

"The regular use of the same password across multiple variants means it’s likely that only one group of attackers has been using the tool until at least January 2015."

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing