RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. ^[1]

ID: S0258

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 17 October 2018

Last Modified: 10 September 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	RGDoor uses HTTP for C2 communications.^[1]
Enterprise	T1560	.003	Archive Collected Data: Archive via Custom Method	RGDoor encrypts files with XOR before sending them back to the C2 server.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	RGDoor uses cmd.exe to execute commands on the victim’s machine.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.^[1]
Enterprise	T1105		Ingress Tool Transfer	RGDoor uploads and downloads files to and from the victim’s machine.^[1]
Enterprise	T1505	.004	Server Software Component: IIS Components	RGDoor establishes persistence on webservers as an IIS module.^[1]^[2]
Enterprise	T1033		System Owner/User Discovery	RGDoor executes the `whoami` on the victim’s machine.^[1]

Groups That Use This Software

ID	Name	References
G0049	OilRig	^[1]

References

Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.

Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.

RGDoor

Enterprise Layer

Techniques Used

Groups That Use This Software

References