Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor

The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers.

The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor dubbed RGDoor to target Internet Information Services (IIS) Web servers.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The hackers used the RGDoor backdoor to target Middle Eastern government organizations and financial and educational institutions.

According to the researchers, RGDoor is a secondary backdoor that allows the hackers to regain access to a compromised Web server when primary TwoFace webshell is discovered and removed.

OilRig hackers are using the TwoFace webshell since at least June 2016, the backdoor

“Unlike TwoFace, the actors did not develop RGDoor in C# to be interacted with at specific URLs hosted by the targeted IIS web server. Instead, the developer created RGDoor using C++, which results in a compiled dynamic link library (DLL).” states the analysis from PaloAlto Networks.

“The DLL has an exported function named “RegisterModule”, which is important as it led us to believe that this DLL was used as a custom native-code HTTP module that the threat actor would load into IIS.” 

The attackers exploited the IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, in this way they could carry out custom actions on requests

The “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

Malware researchers from Paloalto Networks discovered that the code calls the RegisterModule function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests.

When the IIS server receives an inbound HTTP POST request, the backdoor parses the requests searching for the string in HTTP “Cookie” field.

The find was used to issue cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands.

“RGDoor then constructs its own HTTP response by first setting the “Content-Type” field within the HTTP header to “text/plain”.” continues the analysis.

The choice of the Cookie fields makes it hard to analyze inbound requests related to RGDoor backdoor because IIS does not log the values within these specific fields of inbound HTTP requests by default.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated.” concluded Palo Alto Networks.

Technical details, including IoCs are reported in the analysis published by PaloAlto Networks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – RGDoor backdoor, OilRig)

[adrotate banner=”5″]

[adrotate banner=”13″]