Iran APT organizations use new RGDoor Backdoor to attack Middle Eastern government organizations and financial and educational institutions

In a recent survey, researchers at Palo Alto Networks threat intelligence discovered an Internet Information Services (IIS) Web server backdoor that they named “RGDoor.”

The backdoor was found deployed on eight Web servers belonging to Middle Eastern government agencies, as well as a financial institution and an educational institution.

According to the researchers, RGDoor is an auxiliary backdoor for use when the backdoor TwoFace shell is removed.

The TwoFace shell, a backdoor that has been discovered in previous years, has been used by Iran’s APT OilRig since at least June 2016 to target government agencies and financial institutions in the United States and the Middle East.

Specifically, OilRig uses RGDoor as a back-gate to regain access to infected Web servers when the victim organization detects and removes the TwoFace shell.

Analyst PaloAlto Networks explains: “Unlike TwoFace, OilRig did not develop RGDoor in C # to interact with a specific URL hosted by the target IIS Web server. Instead, developers created RGDoor using C ++, This produces a compiled DLL (Dynamic Link Library). ”

Starting with IIS 7, developers can use C ++ to create modules that extend the capabilities of IIS Web servers, such as customizing requests, which OilRig took advantage of.

The report explains: The “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application.

The researchers found that the code calls the RegisterModule function with parameters that ignore inbound HTTP GET requests, but all HTTP POST requests are seen by the IIS Web server, even if POST requests are sent over HTTPS.

When the IIS Web server receives an inbound HTTP POST request, the backdoor resolves the request to search for a string in the HTTP “Cookie” field.

The code will parse the plaintext looking for one of three commands:

• cmd$ [command to execute]
• upload$ [path to file]
• download$ [path to file]

The researchers emphasize that although RGDoor’s command set is limited, these three commands provide ample back-door functionality. Because it allows an attacker to run commands from a command prompt, upload arbitrary files to the server, or download arbitrary files from the server.