TwoFace is the name given to a Web Shell that was identified by cybersecurity researchers when they were running a regular security check on a server used by a Middle Eastern organization. Their analysis shows that the Twoface Web Shell has been active on the compromised computer for over a year, and its operator had plenty of time to use it for gain. So far, it is suspected that the primary purpose of the TwoFace might have been to gather Windows login credentials from the compromised computers, but the control panel of the web shell reveals that it may have provided the attacker with the ability to download files from the vulnerable system, as well as to upload files to it. Last but not least, the TwoFace web shell may have also provided the attacker with the ability to download additional copies of shell and transfer them to other systems that are members of the same network.

After it was spotted for the first time, the TwoFace web shell has also been seen on several other computers owned by Israeli institutions and companies involved in telecommunication, property management, and education. The handpicked targets that belong to the same region and group of people leads researchers to suspect that the APT group linked to the TwoFace campaign may be OilRig, an infamous group of Iranian hackers.

It is not clear what infection vector was used to set up the initial variants of the TwoFace on the targeted computers. However, researchers have determined that some of the compromised systems have been under the control of the attacker for over a year, and they have received commands from remote servers situated in France, Iran, Germany, and the USA. It is likely that the servers in question were also compromised and they offered a good way for the operators of TwoFace to stay anonymous.

The TwoFace web shell is a simple too that is being powered by a complicated infrastructure that has helped the campaign stay undetected for over a year. During this time, the attackers had persistent access to the compromised systems and were allowed to silently and gradually expand the network of infected computers.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]