Summary: The AhnLab Security Intelligence Center has detailed the Andariel threat group’s use of RID Hijacking, a technique that allows attackers to escalate privileges undetected. This method involves manipulating the Relative Identifier (RID) of low-privilege accounts to impersonate high-privilege accounts and generate hidden accounts that evade standard detection. The group’s sophisticated tactics, including registry manipulation and custom tools, enhance their stealth and persistence during breaches.
Affected: Organizations worldwide targeted by Andariel (a subgroup of Lazarus Group)
Keypoints :
- RID Hijacking enables low-privilege accounts to be recognized as high-privilege accounts by modifying the RID value.
- Andariel creates hidden accounts that do not appear in standard listings by appending a ‘$’ to their names.
- Detection is challenging due to registry manipulation and custom tools, making threat remediation complex.