Full Report
AhnLab SEcurity intelligence Center (ASEC) has identified the Andariel attack group using a malicious file to perform an RID Hijacking attack during the breach process. RID Hijacking is an attack technique that involves modifying the Relative Identifier (RID) value of an account with restricted privileges, such as a regular user or guest account, to […]
Analysis Summary
# Threat Actor: Andariel
## Attribution & Identity
Threat actor group identified as **Andariel**. The information stems from analysis by AhnLab SEcurity intelligence Center (ASEC) and references KISA's TTPs #11 ("Operation An Octopus").
## Activity Summary
Andariel is actively utilizing a sophisticated privilege escalation technique known as **RID Hijacking** as part of their breach methodology. This technique is employed to create a persistent, backdoor account with administrative privileges without needing passwords. The process involves gaining SYSTEM privileges, creating a hidden local user account (often appended with '$'), adding it to privileged groups (like Administrators and Remote Desktop Users), manipulating the Security Account Manager (SAM) database registry entries to spoof the account's Relative Identifier (RID) to match that of a high-privilege account, and then attempting to hide traces of the created account using registry manipulation (exporting/importing keys).
## Tactics, Techniques & Procedures
- **Privilege Escalation:** Specifically targeting SYSTEM privileges on the compromised host, often using tools like **PsExec**.
- **System Information Discovery/Manipulation:** Accessing and modifying the **Security Account Manager (SAM) registry** database (located at `HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users`).
- **Account Creation:** Creating local user accounts, sometimes appending a '$' to the name to hide them from standard enumeration tools like `net user`.
- **RID Hijacking:** Modifying the 4-byte RID value stored at the `0x30 – 0x33` offset within the 'F' value of the account key in the SAM registry to impersonate an administrator account.
- **Persistence/Evasion:** Adding created accounts to the Remote Desktop Users group for RDP access, and performing complex registry exports (`reg export`) followed by re-importation after account deletion to obscure their presence, although full evasion until reboot is not consistently guaranteed across all enumeration methods.
- **MITRE ATT&CK Mappings (Inferred from TTPs):** T1078.003 (Valid Accounts: Local Accounts), T1548.002 (Abuse Elevation Control Mechanism), T1003.001 (OS Credential Dumping: SAM).
## Targeting
- **Sectors:** Not explicitly detailed, but the reference to centralized management solutions suggests targeting of organizations relying on these systems.
- **Geography:** Implied focus on South Korean entities given the source of the intelligence (ASEC, KISA).
- **Victims:** Specific organizations are not detailed in this summary, but the TTP analysis is based on observed breach incident cases.
## Tools & Infrastructure
- **Malware/Tools:**
- A custom **malicious file** used by Andariel to execute the RID Hijacking steps with SYSTEM privilege.
- The open-source tool **`CreateHiddenAccount`** (though Andariel's custom tool varies slightly, including permission execution differences).
- **PsExec** (used to gain SYSTEM privilege execution).
- **JuicyPotato** (mentioned as a potential privilege escalation tool).
- **Infrastructure:** Not explicitly mentioned in the context of C2 infrastructure, but internal system administrative tools (`net user`, `net localgroup`, `reg export`) are utilized heavily.
## Implications
Andariel employs advanced, low-level Windows operating system manipulation techniques (RID Hijacking) that specifically evade common **behavior-based detection systems**. Successfully executing this technique grants persistent, difficult-to-detect administrative access, bypassing primary authentication mechanisms (passwords). The attempt to clean up traces via registry export/re-import shows a high level of operational security awareness focused on minimizing forensic artifacts.
## Mitigations
- **Strict Monitoring of SAM Registry:** Implement enhanced monitoring and alerting for reads, writes, or modifications to the SAM hive, particularly keys under `HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users`.
- **SYSTEM Privilege Restriction:** Severely limit or tightly control processes/users capable of achieving or executing commands with SYSTEM privileges (e.g., restricting PsExec usage).
- **Anomaly Detection:** Focus detection logic on unusual account creation patterns, especially accounts created via command-line adjacent to privilege escalation events, and any attempts to manipulate user RIDs or registry paths associated with security accounts.
- **Endpoint Detection & Response (EDR):** Utilize EDR solutions capable of deep behavioral analysis that capture the sequence of events leading to registry modification, even if the final account is deleted or obscured.