RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [1]

ID: S0258
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface RGDoor uses cmd.exe to execute commands on the victim’s machine. [1]
Enterprise T1022 Data Encrypted RGDoor encrypts files with XOR before sending them back to the C2 server. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm. [1]
Enterprise T1105 Remote File Copy RGDoor uploads and downloads files to and from the victim’s machine. [1]
Enterprise T1071 Standard Application Layer Protocol RGDoor uses HTTP for C2 communications. [1]
Enterprise T1033 System Owner/User Discovery RGDoor executes the whoami on the victim’s machine. [1]

Groups That Use This Software

ID Name References
G0049 OilRig [1]