RGDoor

RGDoor is a backdoor developed in C++ and employed by the threat actor behind the TwoFace Web shell. According to researchers that analyzed the threat, the role of RGDoor is to be more of a contingency plan in case the main We shell threats of the hackers get purged from the compromised network. Despite the limited operational abilities of RGDoor, it still provides plenty of functionality that can be used for various harmful purposes. RGDoor was deployed in a campaign against the servers of eight Middle Eastern government organizations. One financial and one educational institution also had their servers compromised by the threat.

At its core, RGDoor is an Internet Information Services backdoor. Being developed in C++ means that it is compiled as a dynamic link library ( DLL) file. The hackers then exploited the functionality added in IIS 7 to load external C++ modules. The feature was designed to allow an expansion of the default ISS capabilities by carrying out custom actions. Unlike TwoFace, RGDoor doesn't have a visual representation of the shell due to it being an ISS HTTP module. One potential delivery method for RGDoor is to be dropped by the TwoFace Web shell by execution the appropriate command line:

'%systemroot%\system32\inetsrv\APPCMD.EXE install module /name:[module name] /image:[path to RGDoor DLL] /add:true'

Once deployed on the targeted server, RGDoor enters a dormant mode where it is actively listening for commands. The threat scans every inbound HTTP POST request received by the ISS server and looks at the HTTP 'Cookie' field for any potential instructions from the attackers. To access the Cookie field, the following function call is made:

'pHttpContext->GetRequest()->GetHeader("Cookie",NULL)'

After a series of decoding and decrypting, RGDoor scans the derived cleartext for one of three commands - 'cmd$', 'upload$,' and 'download$.' While this is a rather narrow set of commands, they provide sufficient opportunities for the attackers to upload or download files to their serv, as well as execute arbitrary commands through command prompt.

The presence of RGDoor signals that the actor has plans for persistent attacks against the designated targets with the establishment of a second backdoor.

Trending

Most Viewed

Loading...