RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [1]

ID: S0258
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 10 September 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RGDoor uses HTTP for C2 communications.[1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

RGDoor encrypts files with XOR before sending them back to the C2 server.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RGDoor uses cmd.exe to execute commands on the victim’s machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[1]

Enterprise T1105 Ingress Tool Transfer

RGDoor uploads and downloads files to and from the victim’s machine.[1]

Enterprise T1505 .004 Server Software Component: IIS Components

RGDoor establishes persistence on webservers as an IIS module.[1][2]

Enterprise T1033 System Owner/User Discovery

RGDoor executes the whoami on the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0049 OilRig