Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. RGDoor

RGDoor

RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [1]

ID: S0258
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RGDoor uses HTTP for C2 communications.[1]
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

RGDoor encrypts files with XOR before sending them back to the C2 server.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RGDoor uses cmd.exe to execute commands on the victim’s machine.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[1]
Enterprise T1105 Ingress Tool Transfer

RGDoor uploads and downloads files to and from the victim’s machine.[1]
Enterprise T1033 System Owner/User Discovery

RGDoor executes the whoami on the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0049 OilRig

[1]

References

  1. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.