RGDoor

RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [1]

ID: S0258
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface RGDoor uses cmd.exe to execute commands on the victim’s machine.[1]
Enterprise T1022 Data Encrypted RGDoor encrypts files with XOR before sending them back to the C2 server.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[1]
Enterprise T1105 Remote File Copy RGDoor uploads and downloads files to and from the victim’s machine.[1]
Enterprise T1071 Standard Application Layer Protocol RGDoor uses HTTP for C2 communications.[1]
Enterprise T1033 System Owner/User Discovery RGDoor executes the whoami on the victim’s machine.[1]

Groups

Groups that use this software:

OilRig

References