RGDoor

RGDoor is a type of malware, specifically an Internet Information Services (IIS) backdoor, attributed to APT34. It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. RGDoor checks all inbound POST requests for commands, meaning the actor does not need to use a specific URL to interact with it. The malware operates as a secondary backdoor, deployed by actors to regain access to a compromised webserver if a victim organization detects and removes the primary TwoFace shell. The evolution of IIS backdoors has seen a progression from RGDoor to CacheHTTP, and from IIS Group 2 to RGDoor. This evolution aligns with the communication technique observed in older versions of RGDoor. Moreover, there seems to be a close relationship between APT34 and Greenbug, with overlapping Tactics, Techniques, and Procedures (TTPs), and targets in the Middle East. This suggests that these tools, CacheHttp, IISGroup 2, and RGDoor, could potentially be variants of the same tool. To monitor inbound RGDoor requests, administrators must configure logging of Cookie fields in IIS, which can be selected in the W3C Logging Fields dialog in IIS Manager. By default, IIS does not log the values within Cookie fields of inbound HTTP requests, which would contain commands issued by actors to RGDoor. The RGDoor DLL (HTTPParser.dll) is loaded into IIS using the module name HTTPParser, as depicted in Figure 2. Figure 1 shows the specific command used to install RGDoor on an IIS server.