SYMBOLCOMMON_NAMEaka. SYNONYMS
asp.twoface (Back to overview)

TwoFace

aka: Minion, HighShell, HyperShell, SEASHARPEE

Actor(s): OilRig, APT34


According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2021-12-14Recorded FutureInsikt Group®
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace
2020-11-27PTSecurityAlexey Vishnyakov, Denis Goydenko
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-09-25Emanuele De Lucia
APT vs Internet Service Providers
TwoFace RGDoor
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-03-12Recorded FutureInsikt Group
Swallowing the Snake’s Tail: Tracking Turla Infrastructure
TwoFace Mosquito
2020-01-01SecureworksSecureWorks
COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2020-01-01FireEyeMandiant, Mitchell Clarke, Tom Hall
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2019-08-22CywareCyware
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT
2019-07-08SANSJosh M. Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace
TwoFace
2019-04-17Malware Reversing BlogF-Secure Global
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
2019-02-13Youtube (SANS Digital Forensics & Incident Response)Josh Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace
2018-07-07Youtube (SteelCon)Dan Caban, Muks Hirani
You’ve Got Mail!
TwoFace
2017-12-11Palo Alto Networks Unit 42Robert Falcone
OilRig Performs Tests on the TwoFace Webshell
TwoFace
2017-07-31Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig
Yara Rules
[TLP:WHITE] asp_twoface_w0 (20190503 | No description)
rule asp_twoface_w0 {
	meta:
		author = "jaime.blasco@alienvault.com"
		tlp = "WHITE"
		reference = "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface"
        malpedia_version = "20190503"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$header = "<%@ Page Language="
		$var1 = "pwd=t[\"pwd\"];"
		$var2 = "pro=t[\"pro\"];"
		$var3 = "cmd=t[\"cmd\"];"
		$xvar1 = "pwd=fb(t[\"pwd\"]);"
		$xvar2 = "pro=fb(t[\"pro\"]);"
		$xvar3 = "cmd=fb(t[\"cmd\"]);"		

	condition:
		$header and ((all of ($var*)) or (all of ($xvar*)))
}
Download all Yara Rules