North Korea’s Andariel Group Deploys New RID Hijacking Technique for Stealthy Attacks
Ddos 
The process of a RID Hijacking attack | Source: ASEC
The AhnLab Security Intelligence Center (ASEC) has uncovered details of the Andariel threat group’s use of a sophisticated RID Hijacking technique to escalate privileges during breaches. Andariel, a subgroup of the Lazarus Group linked to North Korea, continues to refine its arsenal for targeting organizations worldwide.
RID Hijacking manipulates the Relative Identifier (RID) value of a low-privilege account (e.g., guest or standard user) to match the RID of a high-privilege account, such as an administrator. ASEC explains, “By modifying the RID value, threat actors can deceive the system into treating the account as having administrator privileges.”
This stealthy technique is challenging to detect using behavior-based detection systems due to its manipulation of Windows’ Security Account Manager (SAM) database. ASEC notes that the Andariel group employs RID Hijacking to create hidden accounts, making their presence almost invisible to system administrators.
The Andariel group follows a multi-step process for RID Hijacking:
- Privilege Escalation to SYSTEM:
Threat actors use tools like PsExec to escalate privileges to the SYSTEM level, which is required to modify the SAM registry. - Creating Hidden Accounts:
Andariel creates hidden accounts by appending a$to the account name, ensuring they do not appear in standard account lists. As ASEC highlights, “The account cannot be identified using the ‘net user’ command, and can only be identified in the SAM registry.” - Modifying RID Values:
The group modifies the RID value of the created account in the SAM registry, allowing the operating system to treat the account as an administrator. - Registry Manipulation for Stealth:
Andariel extracts the registry keys of the account, deletes the account, and re-adds it to minimize exposure. This method ensures the account is not easily visible in most system management tools.
The report also reveals the group’s reliance on custom malware and tools like CreateHiddenAccount, an open-source utility designed for RID Hijacking. ASEC compares the tools, noting, “Samples developed by the Andariel threat group cannot perform their functions properly without system privileges. The open-source tool CreateHiddenAccount can perform all of its functions even with administrator privileges.”
The Andariel group’s techniques show a high level of operational security. Although accounts created through RID Hijacking can sometimes be detected after system reboots, the group’s use of registry manipulation and hidden attributes makes detection and removal extremely challenging.
ASEC notes, “The threat actor’s behavior can be interpreted as intending to minimize account exposure and maintain persistence.”
Related Posts:
- North Korean Hacker Indicted: Ransomware on Hospitals Funds Military Espionage
- Unmasking Play Ransomware: Tactics, Techniques, and Mitigation Strategies
- Andariel: North Korea’s Cyber Threat Actor Steals Data, Launches Ransomware Attacks
- New Keylogger Targeting U.S. Organizations Linked to North Korean APT Group Andariel
- North Korean Hackers Exploit VPN Vulnerabilities to Breach Networks
Donate