A dive into APT34 (aka OilRig, aka Cobalt Gypsy) “TwoFace” webshell

FireEye Image APT34If we talk about cyber intrusions, a vulnerable exposed web service can very often represent the first route for the whole backend infrastructure. Beyond this, web ones are among the first services whose robustness is tested during a cyber attack. For this reason, every respecting offensive actor knows very well the concept of “webshell” and how the effectiveness of such tools can sometimes make the difference between a partial or total compromise of the target network.

This post wants to give an overview about a webshell called TwoFace” (probably for the multiple components that form it) used by a very well known threat actor commonly known as APT34 (aka OilRig, aka Cobalt Gypsy). APT34 is believed to be based in Iran and is active at least since 2014. Over the time, many industry reports tracked the intrusions of this group against organizations and entities operating in the Energy, Financial, Government and Telecommunications sector. Many malware families have also been associated with this group including ISMAgent, ISMDoor, ISMInjector and, obviously, the “TwoFace” webshell.

This report is based on some recently collected samples which form a family cluster comprising variants of both webshell elements (loaders and payloads).Indeed, “TwoFace” is formed by two primary elements: a loader and a payload.

Both are written in C# as can be easily observed in the following code frame:


 [+] TwoFace Loader

As can be quickly imagined, the primary purpose of the loader is to decrypt the main webshell payload. One of the first thing we can observe is the declaration of variables with a likely random generated names. In all variants of loaders in my possession these names are changing probably in order to make more difficult the generation of file detection rules.

Following an example of a code frame catched from one recent webshell loader:


The loader contains an embedded key and the webshell payload. The embedded key is decrypted with another key given as input via HTTP request. Expanding the image above we can try to make things a little clearer highlighting and giving a nomenclature to the variables involved:


We can now show the double deciphering  for…loop cycles with variable names cleared and renamed for a better understanding:


Once the web service is compromised and the webshell payload is written into the server by the loader, the attacker is ready to start the game relying on a powerful hacking tool.

[+] TwoFace Payload

TwoFace payload is a powerfull and fully featured webshell. It uses HTTP Cookie parameters in order to handle commands to be executed in the context of the victim system. The main webshell core is shown following, where it’s possible to have evidences about what stated above and have an idea about how the author designed the workload of this hacking tool:


A switch…case statement is designed to handle the commands given by the actor through a Cookie named “data“.

In a nutshell, the webshell is able to perform the following action:

1. Arbitrary commands execution.

2. Arbitrary programs execution.

2. Downloading files.

3. Uploading files.

4. Deleting files.

5. Manipulating files.

interpreting the following values (incomplete list, some of them are redacted):

pro: give a program to be executed

cmd: give a command to be executed

sav: save an uploaded file to a specific path

vir: true or false if the path of sav is virtual

nen: specify a name of uploaded file

don: specify a path for file download

del: specify a path to delete a file

ttar: specify a file to take timestamps from


[+] TwoFace Payload Security

In the analyzed TwoFace payload, the webshell is protected from unauthorized use through the use of a second HTTP Cookie, named “p” (yes, quite easy to guess it stands for “password“).

Immediately after the runat="server" attribute, the author fills three variables named “salt“, “aut” and “pp” that are useful to handle the authentication for requests received.


aut” variable is filled given the resulting statement of a function aimed to calculate the base64 encoded value of the computed sha256 of “p” cookie  + “salt” and then compared with pp” value, as the extracted code frame shown below:


To conclude, may be useful to specify that some variants presents an auth HTTP Cookie named “pwd“.

[+] Conclusions

A webshell implant can be a very serious threat if the attacker succeeds in pivoting  from the web server into the internal network. To avoid this, pay attention to permissions in order to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network. To prevent adversary access and priviledge escalation ensure that externally facing web servers are patched and audited regularly.

[+] MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques related to what described:

+ T1100 [Actors install webshell onto webservers to gain access to network]

[+] Tactics, Techniques, Procedures

+ Actor deploys a webshell in a common error pages area of the web server.

+ Actor deploys a webshell with a file name similar to an error page.

+ Actor relies on HTTP Cookie for command and control.

+ Actor relies on HTTP Cookie for authentication mechanisms.

[+] Yara file detection rule [Loader]

rule APT34_TwoFace_Loader_v11 : IRAN THREAT ACTOR {
description = "Detects APT34 TwoFace webshell loader"
author = "Emanuele De Lucia"
tlp = "white"
$ = "System.Convert.FromBase64String(" fullword ascii
$ = "System.IO.File.WriteAllBytes(" ascii
$ = "else if(Request.Form.Count==" ascii
$ = "Request.ServerVariables[\"PATH_TRANSLATED\"].Substring" ascii
uint16(0) == 0x253c and all of them

[+] Yara file detection rule [Payload]

rule APT34_TwoFace_Payload_v04 : IRAN THREAT ACTOR {
description = "Detects APT34 TwoFace webshell payload"
author = "Emanuele De Lucia"
tlp = "white"
$ = "//wmic /node:localhost process call create \"\"cmd.exe /c wmic" fullword ascii
$ = "exec(string.Format(@\"wmic /node:{0}" ascii
$ = "tfil" fullword ascii
$ = "ttar" fullword ascii
$ = "ttim" fullword ascii
$ = "Convert.ToBase64String(new System.Security.Cryptography" fullword ascii
( uint16(0) == 0xbbef and filesize < 200KB and all of them )

[+] Indicators of Compromise

SHA256 [Artifact]: 0748d858a81567984bd21e18164ccc81e9f51e406f74da33f90f09d3d8fb9202

SHA256 [Artifact]: 2393c44c3636551474bd4469e0bd2d3f71fcf505c90737607eca54cfba4afea9

SHA256 [Artifact]: 3578a541b9c51e2b8727334e6051942c20247bb8cdb5badd00a6bfe033717136

SHA256 [Artifact]: 22c4023c8daa57434ef79b838e601d9d72833fec363340536396fe7d08ee2017

SHA256 [Artifact]: 525900b31b42ec66bacb47637a967b7b2057f3dd4b4a8cf68cfd5b756cbfdeb8

SHA256 [Artifact]: 8bdC80f70118d92a21efeb7eb3a8bed8dbfadb194b80461488b3c216d1cbda83

File Name [Artifact]: [E|e]rror.aspx

File Name [Artifact]: [E|e]rror2.aspx

File Name [Artifact]: [E|e]rror[EE|ee|ff|FF].aspx

File Name [Artifact]: tester[A|B|D|F].aspx

File Name [Artifact]: news1.aspx

File Name [Artifact]: managecontent.aspx

[+] Update 21/08/2019: TwoFace activity SNORT detection rule:

Someone emailed me asking for network detection rule for TwoFace webshell. Here we are:

alert tcp $EXTERNAL_NET any -> any $HTTP_PORTS (\
msg:"TwoFace WebShell Detected"; \
flow:to_server,established; \
content:"POST"; http_method; \
content:".aspx"; http_uri; \
content:"data=pro#=#"; http_cookie; \
classtype:trojan-activity; metadata:service http; \
sid:1000980; rev:1; \

Leave a Reply

Your email address will not be published. Required fields are marked *