Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Target IIS Web Servers With New Backdoor

Iranian Cyber

Iranian Cyber

The Iran-linked cyber-espionage group known as OilRig is using a backdoor to target Internet Information Services (IIS) Web servers used by Middle Eastern government organizations and financial and educational institutions.

Dubbed RGDoor, the malware is believed to be a secondary backdoor that allows the actor to regain access to a compromised Web server in the event the primary malware is detected and removed. This primary malicious tool is the TwoFace webshell, which OilRig is believed to have been using since at least June 2016.

 Around since 2015, the OilRig threat group has targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries. Believed to be operating out of Iran, the group is using multiple tools, is expanding its arsenal, and is quick to adopt new exploits.

The backdoor was created using C++, which results in a compiled dynamic link library (DLL) with an exported function named “RegisterModule.” Because of that, Palo Alto’s researchers believe the DLL was used as a custom native-code HTTP module loaded into IIS, and suggest that there is no visual representation of the shell for the actors to interact with.

This approach takes advantage of IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, such as carry out custom actions on requests. These “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

The researchers also found that RGDoor would call the “RegisterModule” function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests, even those issued over HTTPS. The malware parses these requests to look for a specific string in the HTTP “Cookie” field, so as to find whether cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands were issued to it.

“The sample then transmits the data back to the actor by creating a loop that calls the IHttpResponse::WriteEntityChunk method until all of the data is sent to the actor within HTTP responses. If the WriteEntityChunk method fails at any point during this loop, the code will respond to the actor with a HTTP 500 “Server Error” response by using the IHttpResponse::SetStatus method,” the researchers explain.

Advertisement. Scroll to continue reading.

Because IIS does not log the values within Cookie fields of inbound HTTP requests by default, it’s difficult to locate and analyze inbound requests related to RGDoor. Furthermore, because the module checks all inbound POST requests for commands, the actor can use any URL to interact with it.

The actors behind the backdoor used the TwoFace webshell to load it onto an IIS Web server and gain backdoor access to the compromised system. The main purpose of the tool, however, appears to be regaining access to the server in the event the TwoFace webshell was removed.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group
has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated,” Palo Alto concludes.

Related: Iranian Cyberspies Exploit Recently Patched Office Flaw

Related: Iranian Cyberspies Use New Trojan in Middle East Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.