Skip to content

S0258 RGDoor

RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. 1

Item Value
ID S0258
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 10 September 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RGDoor uses HTTP for C2 communications.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method RGDoor encrypts files with XOR before sending them back to the C2 server.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RGDoor uses cmd.exe to execute commands on the victim’s machine.1
enterprise T1140 Deobfuscate/Decode Files or Information RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.1
enterprise T1105 Ingress Tool Transfer RGDoor uploads and downloads files to and from the victim’s machine.1
enterprise T1505 Server Software Component -
enterprise T1505.004 IIS Components RGDoor establishes persistence on webservers as an IIS module.12
enterprise T1033 System Owner/User Discovery RGDoor executes the whoami on the victim’s machine.1

Groups That Use This Software

ID Name References
G0049 OilRig 1