SYMBOLCOMMON_NAMEaka. SYNONYMS
asp.twoface (Back to overview)

TwoFace

aka: Minion, HighShell, HyperShell, SEASHARPEE

Actor(s): OilRig, APT34


According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

References
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz LuckyMouse
2020-09-25Emanuele De Lucia
@online{lucia:20200925:vs:5b8c949, author = {Emanuele De Lucia}, title = {{APT vs Internet Service Providers}}, date = {2020-09-25}, url = {https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view}, language = {English}, urldate = {2020-10-02} } APT vs Internet Service Providers
TwoFace RGDoor
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy}, language = {English}, urldate = {2020-05-23} } COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2019-07-08SANSJosh M. Bryant, Robert Falcone
@techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } Hunting Webshells: Tracking TwoFace
TwoFace
2019-02-13Youtube (SANS Digital Forensics & Incident Response)Josh Bryant, Robert Falcone
@online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace
2018-07-07Youtube (SteelCon)Dan Caban, Muks Hirani
@online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } You’ve Got Mail!
TwoFace
2017-12-11Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } OilRig Performs Tests on the TwoFace Webshell
TwoFace
2017-07-31Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
Yara Rules
[TLP:WHITE] asp_twoface_w0 (20190503 | No description)
rule asp_twoface_w0 {
	meta:
		author = "jaime.blasco@alienvault.com"
		tlp = "WHITE"
		reference = "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface"
        malpedia_version = "20190503"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$header = "<%@ Page Language="
		$var1 = "pwd=t[\"pwd\"];"
		$var2 = "pro=t[\"pro\"];"
		$var3 = "cmd=t[\"cmd\"];"
		$xvar1 = "pwd=fb(t[\"pwd\"]);"
		$xvar2 = "pro=fb(t[\"pro\"]);"
		$xvar3 = "cmd=fb(t[\"cmd\"]);"		

	condition:
		$header and ((all of ($var*)) or (all of ($xvar*)))
}
Download all Yara Rules