TwoFace

TwoFace is a Remote Access Trojan or RAT that consists of two, separate Web shells that its threat actors can run on vulnerable servers. Attackers can use this hacking tool for gaining access to other servers on the same network, collecting information or introducing other threats. Server administrators should use appropriate anti-malware tools for disinfection and removing TwoFace and should change any passwords that the threat actors might have collected in the interim.

When One Face isn't Enough for a Trojan

Although having a Trojan dropper for installing a second Trojan is par for course, it's not typical to see both Trojans being full-fledged Web shells equally. This technical oddity is responsible for giving TwoFace, a Web server-compromising threat, its name. The Remote Access Trojan was attacking targets for nearly a year before the cyber-security industry caught up with it, as of 2017.

Both parts of TwoFace require Microsoft's ASP.NET framework running on the server beforehand and are found providing a backdoor into the servers of Middle Eastern organizations frequently. The first shell is a loader component that drops the second half of the Trojan, which delivers most of the server-controlling features. This latter portion of the threat includes features such as:

• Executing commands from a Command & Control server.
• Modifying MAC timestamp information.
• Opening program executables.
• Uploading/downloading files.

Malware researchers can confirm some interesting 'coincidences' in TwoFace's C&C, as well. Typical domains from its campaign are imitating Israeli-related websites like the Tel Aviv University with the evident goal of fooling Web surfers into providing them with their credentials. This atypical design makes TwoFace's command infrastructure just as double-purposed as the Trojan's two shells.

Putting a Name to a TwoFace

TwoFace's attacks have similarities to the crimes of OilRig, an Iran-based threat actor. It shares the abuse of Mimikatz, a password-collector utility, along with preferring the same types of Middle Eastern targets. If OilRig is the responsible party, then, TwoFace infections could be circulating through corrupted Word documents or other formats that let attackers compromise their victims through e-mail. Any messages may be designed for appealing to the specific worker or institution and may require clicking through a macro prompt.

Some TwoFace attacks involve duplicating itself for compromising other servers, according to the threat actor's commands. Isolating compromised servers should be done immediately, and victims should assume that related credentials like passwords are in criminal hands. Standard anti-malware products should spot and uninstall TwoFace or, better yet, stop the loading component that installs its worse half.

Those who dig beyond the shallow surface of TwoFace's history will find details rife with other threats, from the backdoor Trojan RGDoor to the PuTTY Link remote connection tool. TwoFace gives any website administrator enough headaches, but any threat removal that stops at its doubled-visage is, likely, a premature conclusion to a multi-layered security problem.