The Iran-linked cyber-espionage group known as OilRig is using a backdoor to target Internet Information Services (IIS) Web servers used by Middle Eastern government organizations and financial and educational institutions.
Dubbed RGDoor, the malware is believed to be a secondary backdoor that allows the actor to regain access to a compromised Web server in the event the primary malware is detected and removed. This primary malicious tool is the TwoFace webshell, which OilRig is believed to have been using since at least June 2016.
Around since 2015, the OilRig threat group has targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries. Believed to be operating out of Iran, the group is using multiple tools, is expanding its arsenal, and is quick to adopt new exploits.
The backdoor was created using C++, which results in a compiled dynamic link library (DLL) with an exported function named “RegisterModule.” Because of that, Palo Alto’s researchers believe the DLL was used as a custom native-code HTTP module loaded into IIS, and suggest that there is no visual representation of the shell for the actors to interact with.
This approach takes advantage of IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, such as carry out custom actions on requests. These “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.
The researchers also found that RGDoor would call the “RegisterModule” function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests, even those issued over HTTPS. The malware parses these requests to look for a specific string in the HTTP “Cookie” field, so as to find whether cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands were issued to it.
“The sample then transmits the data back to the actor by creating a loop that calls the IHttpResponse::WriteEntityChunk method until all of the data is sent to the actor within HTTP responses. If the WriteEntityChunk method fails at any point during this loop, the code will respond to the actor with a HTTP 500 “Server Error” response by using the IHttpResponse::SetStatus method,” the researchers explain.
Because IIS does not log the values within Cookie fields of inbound HTTP requests by default, it’s difficult to locate and analyze inbound requests related to RGDoor. Furthermore, because the module checks all inbound POST requests for commands, the actor can use any URL to interact with it.
The actors behind the backdoor used the TwoFace webshell to load it onto an IIS Web server and gain backdoor access to the compromised system. The main purpose of the tool, however, appears to be regaining access to the server in the event the TwoFace webshell was removed.
“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group
has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated,” Palo Alto concludes.