Security researchers discovered a malicious backdoor named "RGDoor" installed on web servers. This tool acts as a "backup key," allowing attackers to secretly control a server even if their main entry point is found and deleted.

Who were the targets of this attack?

The attack specifically targeted high-value entities in the Middle East, including eight government organizations, a financial institution, and an educational institution.

What is the goal of RGDoor?

The primary goal is persistence. Attackers use RGDoor to ensure they remain connected to a victim's network. If the victim finds the attackers' primary tool (the "TwoFace" webshell) and deletes it, the attackers can use RGDoor to get back in.

How does the attack work?

RGDoor is a piece of software (a DLL file) that plugs directly into the web server software (IIS). It silently watches all data being sent to the server (specifically "POST" requests). If it sees a specific secret code hidden inside a website "Cookie," it wakes up and executes commands, such as stealing files or running programs.

Why is this difficult to detect?

It is hard to spot because it doesn't have a specific file or web page you can look for. It hides inside the server's internal machinery. Furthermore, standard web server logs usually do not record "Cookie" data, so the malicious commands sent by the attackers leave no trace in default logs.

What actions should organizations take?

Organizations running IIS web servers should update their logging settings to record "Cookie" fields. This allows security teams to see the hidden commands. They should also regularly review the list of installed software modules on their servers to ensure no unauthorized tools have been added.

Threats Feed|OilRig|Last Updated 12/02/2026|AuthorCertfa Radar|Publish Date25/01/2018

TwoFace Webshell to RGDoor: A Resilient Cyber Attack on Middle Eastern Organizations

Actor Motivations: Espionage,Exfiltration
Attack Vectors: OS command injection,Backdoor
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

OilRig was identified by Unit 42 as deploying a secondary backdoor, RGDoor, via the TwoFace webshell to regain access to compromised webservers once TwoFace was detected and removed. Targeting eight Middle Eastern government organizations, a financial institution, and an educational institution, RGDoor allows OilRig to execute commands and upload and download files from the server. The backdoor was created using C++, resulting in a DLL that relies on HTTP POST requests to communicate with the backdoor.

Reference and Credit: Palo Alto Networks - January 2018

OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

Detected Targets

Type	Description	Confidence
Sector	Financial	Verified
Sector	Government Agencies and Services	Verified
Sector	Education Eight Middle Eastern government organizations, along with one financial and one educational institution, were targeted by the attack.	Verified
Region	Middle East Countries	Verified

Extracted IOCs

497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3
a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa

download

Tip: 2 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.

Overlaps

OilRigUnraveling OilRig's Cyber Operations: Israel and Middle East in the Crosshairs

Source: Palo Alto Networks - September 2017

Detection (one case): 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the RGDoor IIS Backdoor

: Security researchers discovered a malicious backdoor named "RGDoor" installed on web servers. This tool acts as a "backup key," allowing attackers to secretly control a server even if their main entry point is found and deleted.
: The attack specifically targeted high-value entities in the Middle East, including eight government organizations, a financial institution, and an educational institution.
: The primary goal is persistence. Attackers use RGDoor to ensure they remain connected to a victim's network. If the victim finds the attackers' primary tool (the "TwoFace" webshell) and deletes it, the attackers can use RGDoor to get back in.
: RGDoor is a piece of software (a DLL file) that plugs directly into the web server software (IIS). It silently watches all data being sent to the server (specifically "POST" requests). If it sees a specific secret code hidden inside a website "Cookie," it wakes up and executes commands, such as stealing files or running programs.
: It is hard to spot because it doesn't have a specific file or web page you can look for. It hides inside the server's internal machinery. Furthermore, standard web server logs usually do not record "Cookie" data, so the malicious commands sent by the attackers leave no trace in default logs.
: Organizations running IIS web servers should update their logging settings to record "Cookie" fields. This allows security teams to see the hidden commands. They should also regularly review the list of installed software modules on their servers to ensure no unauthorized tools have been added.

About Affiliation

OilRig

Associate threats