S0258 RGDoor
RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. 1
| Item | Value |
|---|---|
| ID | S0258 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 10 September 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RGDoor uses HTTP for C2 communications.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | RGDoor encrypts files with XOR before sending them back to the C2 server.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | RGDoor uses cmd.exe to execute commands on the victim’s machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.1 |
| enterprise | T1105 | Ingress Tool Transfer | RGDoor uploads and downloads files to and from the victim’s machine.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.004 | IIS Components | RGDoor establishes persistence on webservers as an IIS module.12 |
| enterprise | T1033 | System Owner/User Discovery | RGDoor executes the whoami on the victim’s machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |