SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rgdoor (Back to overview)

RGDoor


There is no description at this point.

References
2020-09-25Emanuele De Lucia
@online{lucia:20200925:vs:5b8c949, author = {Emanuele De Lucia}, title = {{APT vs Internet Service Providers}}, date = {2020-09-25}, url = {https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view}, language = {English}, urldate = {2020-10-02} } APT vs Internet Service Providers
TwoFace RGDoor
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy}, language = {English}, urldate = {2020-05-23} } COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:1a61198, author = {SecureWorks}, title = {{COBALT LYCEUM}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-lyceum}, language = {English}, urldate = {2020-05-23} } COBALT LYCEUM
danbot RGDoor LYCEUM
2018-01-25Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20180125:oilrig:ac00139, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2019-12-20} } OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
RGDoor
2017-09-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170926:striking:f9aa319, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2019-12-20} } Striking Oil: A Closer Look at Adversary Infrastructure
RGDoor
Yara Rules
[TLP:WHITE] win_rgdoor_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_rgdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 0f848a000000 41880f 4b8b84ea503f0300 4183cbff 4103db }
            // n = 6, score = 100
            //   85db                 | dec                 eax
            //   0f848a000000         | lea                 edx, [0x1588d]
            //   41880f               | dec                 eax
            //   4b8b84ea503f0300     | mov                 ecx, ebx
            //   4183cbff             | dec                 eax
            //   4103db               | lea                 edx, [0x1587f]

        $sequence_1 = { 488d4c2420 41b801000000 4889442450 e8???????? 488d0590b30100 488d15f9810200 488d4c2420 }
            // n = 7, score = 100
            //   488d4c2420           | inc                 ebp
            //   41b801000000         | xor                 esi, esi
            //   4889442450           | jmp                 0x7f2
            //   e8????????           |                     
            //   488d0590b30100       | dec                 ecx
            //   488d15f9810200       | or                  esi, 0xffffffff
            //   488d4c2420           | nop                 

        $sequence_2 = { 488905???????? 488d05f2a50000 488905???????? 488d05e4990000 488905???????? 488d050ea50000 488905???????? }
            // n = 7, score = 100
            //   488905????????       |                     
            //   488d05f2a50000       | dec                 eax
            //   488905????????       |                     
            //   488d05e4990000       | mov                 eax, ecx
            //   488905????????       |                     
            //   488d050ea50000       | test                byte ptr [eax + 0x38], 0x7f
            //   488905????????       |                     

        $sequence_3 = { 41c0e702 410fb6c5 c0e806 4402f8 44887dc6 4180e53f 44886dc7 }
            // n = 7, score = 100
            //   41c0e702             | dec                 eax
            //   410fb6c5             | mov                 eax, dword ptr [ebx - 0xb0]
            //   c0e806               | dec                 eax
            //   4402f8               | mov                 ecx, ebx
            //   44887dc6             | lea                 edx, [ecx - 0xa8]
            //   4180e53f             | mov                 dword ptr [ecx + ebx - 0xac], edx
            //   44886dc7             | dec                 eax

        $sequence_4 = { 488b8c0d28010000 4885c9 7407 488b01 ff5008 90 }
            // n = 6, score = 100
            //   488b8c0d28010000     | dec                 eax
            //   4885c9               | arpl                word ptr [eax + 4], cx
            //   7407                 | lea                 edx, [ecx - 0xb0]
            //   488b01               | dec                 eax
            //   ff5008               | arpl                word ptr [eax + 4], cx
            //   90                   | dec                 eax

        $sequence_5 = { 4c8d25842f0200 83e01f 4c6bf858 498b04fc 420fbe4c3808 83e101 }
            // n = 6, score = 100
            //   4c8d25842f0200       | dec                 eax
            //   83e01f               | mov                 ecx, eax
            //   4c6bf858             | dec                 eax
            //   498b04fc             | mov                 ebx, eax
            //   420fbe4c3808         | dec                 eax
            //   83e101               | lea                 edx, [0x1594b]

        $sequence_6 = { 754e 488d05fc7ffeff d1eb 4c8d4ddc 4a8b8ce8503f0300 498bd4 448bc3 }
            // n = 7, score = 100
            //   754e                 | dec                 eax
            //   488d05fc7ffeff       | mov                 eax, dword ptr [ecx - 0x10]
            //   d1eb                 | dec                 esp
            //   4c8d4ddc             | arpl                word ptr [eax + 4], ax
            //   4a8b8ce8503f0300     | dec                 eax
            //   498bd4               | mov                 eax, dword ptr [edi]
            //   448bc3               | dec                 eax

        $sequence_7 = { 483305???????? 488bcb 488905???????? ff15???????? 483305???????? 488d157a580100 488bcb }
            // n = 7, score = 100
            //   483305????????       |                     
            //   488bcb               | int3                
            //   488905????????       |                     
            //   ff15????????         |                     
            //   483305????????       |                     
            //   488d157a580100       | dec                 esp
            //   488bcb               | lea                 eax, [0x2488d]

        $sequence_8 = { 488bd9 488d05b9490100 488981a0000000 83611000 c7411c01000000 c781c800000001000000 b843000000 }
            // n = 7, score = 100
            //   488bd9               | dec                 eax
            //   488d05b9490100       | lea                 eax, [0x287fd]
            //   488981a0000000       | dec                 eax
            //   83611000             | mov                 dword ptr [ecx + ebx - 0xa8], eax
            //   c7411c01000000       | inc                 eax
            //   c781c800000001000000     | push    ebx
            //   b843000000           | dec                 eax

        $sequence_9 = { 488d9510020000 488d4d98 e8???????? 488bcb e8???????? 85c0 }
            // n = 6, score = 100
            //   488d9510020000       | dec                 eax
            //   488d4d98             | mov                 dword ptr [esp + 0x18], edi
            //   e8????????           |                     
            //   488bcb               | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | push                esi

    condition:
        7 of them and filesize < 475136
}
[TLP:WHITE] win_rgdoor_w0   (20180208 | Detects RGDoor backdoor used by OilRig group)
import "pe"
/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2018-01-27
   Identifier: RGDoor
   Reference: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
*/
rule win_rgdoor_w0 {
    meta:
        author = "Florian Roth"
        description = "Detects RGDoor backdoor used by OilRig group"
        reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
        date = "2018-01-27"
        score = 80
        hash = "a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa"
        malpedia_version = "20180208"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor"
    strings:
        $s1 = "MyNativeModule.dll" fullword ascii
        $s2 = "RGSESSIONID=" fullword ascii
        $s3 = "download$" fullword ascii
        $s4 = ".?AVCHelloWorld@@" fullword ascii
    condition:
        pe.imphash() == "47cb127aad6c7c9954058e61a2a6429a" or (2 of them)
}
Download all Yara Rules