A new cyber campaign, attributed to the North Korean-linked Andariel threat group, is using a sophisticated technique that allows low-privileged user accounts to gain administrator-level access on Windows systems. The technique, known as RID hijacking, exploits a vulnerability in the way Windows handles user permissions.
Andariel is a state-backed group closely associated with North Korea’s notorious Lazarus Group. Andariel has a history of conducting targeted attacks against South Korean and international organizations. In July 2024, the US authorities charged an alleged Andariel hacker with ransomware attacks on US hospitals and health care providers.
According to a recent report from South Korea’s AhnLab, the attackers use a combination of custom malicious files and an open-source tool to execute the hijacking attack. The method involves modifying the Relative Identifier (RID) of a low-privilege account, which is part of the Security Identifier (SID) assigned to each user account in a Windows system. By changing the RID to that of an administrator account, Windows treats the low-privilege account as if it has elevated permissions.
The SID, which includes various RIDs, is a unique tag that Windows uses to distinguish between user accounts. Certain RIDs correspond to different levels of access—“500” for administrators, “501” for guest accounts, and so on. By hijacking the RID, attackers can grant themselves access to resources that are typically restricted to higher-level accounts.
To perform the hijacking, the attacker first needs gain SYSTEM-level access to the target machine. The attackers then use tools such as PsExec and JuicyPotato to elevate their privileges and launch commands with SYSTEM access, which is the highest permission level in Windows. Though SYSTEM access offers full control over the system, it has limitations such as lack of remote access capabilities, difficulty in interacting with GUI applications, and its high detectability.
To work around the restrictions, the Andariel hackers create a hidden, low-privilege local user account using the “net user” command with a special character at the end of the username, which prevents the account from appearing in basic user listings. This stealthy user account is then modified in the Security Account Manager (SAM) registry, granting it elevated privileges.
Once the account's privileges are escalated, the attackers add it to the Remote Desktop Users and Administrators groups, further increasing their control over the system.