Researchers at Edinburgh Napier University have been investigating the Skeleton Key malware within their virtualised security infastructure.
The core of the attack is around compromising a Windows domain. In order to centralise the control of usernames, roles, passwords and rights, a domain controller is used to store the common database for the whole of the domain. This is such a critical task, that there is often a secondary controller, which will contain an up-to-date copy of the domain data. Users when they log into a host (\\HOST - where \\ is the top level of the domain) are then authenticated against the domain controller, and will gain access from there. Any compromise or failure of the domain infrastructure can cause major problems within an organisation.
On a Windows server, the ole32.dll file is used to link objects within Microsoft documents, and is non-malicious. The CTU team, where investigation the 64-bit version found that an attacker could use a related DLL (mstua64.dll) to compromise the system. This DLL contains debug information that allows the attacker to examine the contents of memory used when patching a system. The malware was then named ole64.dll, ole.dll or msuta64.dll (see Figure 2). Debug information is used within a program when it is being tested, and allows the developer to examine debug messages and variables. On the release of the compiled version of the code, the developer would switch-off debug options, but in this case they have been left on.
The process involves the attacker compromising a host within the domain, and then sustaining a remote connection. Next the attacker gains the administrator credentials to search for administrative shares within the domain. Once found the attacker moves the compromised DLLs into c:\windows\systems32 on the domain controller, and then runs then with:psexec -accepteula \\%DCNAME% rundll32 [DLL filename] ii [NTLM password hash]
where [NTLM password hash] is the hashed password that the attacker wants to use for a user, and [DDL filename] is the name of one of the compromised DLLs.
Psexec is a useful tool for many domain managers, as it allows for the execution of commands on remote systems. It can, though, be used for malicious purpose by an attacker, where intruders can run remote commands with administrative rights, including transferring the output of the execution from one system to another (using administrative shares and the SMB - Server Message Block – protocol). This operation is typically known as creating a pipe for data.
More details here.