RGDoor

RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [1]

ID: S0258
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceRGDoor uses cmd.exe to execute commands on the victim’s machine.[1]
EnterpriseT1022Data EncryptedRGDoor encrypts files with XOR before sending them back to the C2 server.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationRGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[1]
EnterpriseT1105Remote File CopyRGDoor uploads and downloads files to and from the victim’s machine.[1]
EnterpriseT1071Standard Application Layer ProtocolRGDoor uses HTTP for C2 communications.[1]
EnterpriseT1033System Owner/User DiscoveryRGDoor executes the whoami on the victim’s machine.[1]

Groups

Groups that use this software:

OilRig

References