{ "id": "01ca50f9-742c-4916-a336-3eb3f26e1a1a", "created_at": "2026-04-06T00:12:21.856365Z", "updated_at": "2026-04-10T03:37:36.595645Z", "deleted_at": null, "sha1_hash": "1655e090c52d870c8bb518408742fc5e6cead70b", "title": "OilRig Performs Tests on the TwoFace Webshell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1930897, "plain_text": "OilRig Performs Tests on the TwoFace Webshell\r\nBy Robert Falcone\r\nPublished: 2017-12-11 · Archived: 2026-04-05 12:36:36 UTC\r\nSummary\r\nUnit 42 is well aware of the OilRig threat group conducting testing activities on their tools prior to their use in active\r\noperations. We first discussed OilRig’s testing activity in our April 2017 blog OilRig Actors Provide a Glimpse into\r\nDevelopment and Testing Efforts, which provided an analysis of the changes made to the Clayslide delivery documents\r\nin order to evade detection.\r\nOn November 15, 2017, we observed an OilRig developer testing the TwoFace webshell, which we first wrote about in\r\nin our July 2017 blog TwoFace Webshell: Persistent Access Point for Lateral Movement. We specifically observed the\r\ndeveloper testing a version that we that we call the TwoFace++ variant.\r\nIn this blog, we will provide an analysis of the testing activities carried out in this series of testing, which clearly\r\nshows the developer making changes to the TwoFace webshell and looking for increases and decreases in the detection\r\nrate to determine the detected content. Please reference our previous blog titled TwoFace Webshell: Persistent Access\r\nPoint for Lateral Movement for details on the construction and functionality of the TwoFace webshell.\r\nTesting Activity\r\nAs in our previous analysis of OilRig testing activities, our analysis of this testing activity began with gathering a\r\ncollection of related TwoFace loader samples. For this blog, we included only the TwoFace loader samples that were\r\ncreated specifically to determine what security vendors detect within the TwoFace loader script. We used the same\r\nmethodology to analyze the testing activity as previous OilRig testing activities, specifically by comparing each file in\r\nsequence to see the changes the developer made in each iteration of testing.\r\nThe flowchart in Figure 1 has similar elements to the flowchart we included with our previous analysis of OilRig\r\ntesting activities. However, we have changed the decisions (diamond shapes) in the flowchart to more closely reflect\r\nthe activities we observed in the testing of TwoFace. The testing of TwoFace did not stop when the developer\r\nsuccessfully reduced the detection rate to 0, as the developer continues to make modifications to determine the exact\r\ncode within TwoFace that caused detection. The developer only ceases testing activities when they know exactly what\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 1 of 23\n\nthe security vendors are using to detect the script.\r\nFigure 1 Flowchart of OilRig's process of testing TwoFace\r\nTesting Analysis\r\nThe testing activity started on November 15, 2017 at 8:51 AM and ended at 9:07 AM (UTC), which resulted in the\r\ndeveloper making 22 modifications to the TwoFace loader script in sixteen minutes throughout the iterations of testing.\r\nIf you recall from our previous research, TwoFace is comprised of two parts: a loader script and an embedded payload\r\nwebshell. The observed testing activity focused on the TwoFace loader script, which is responsible for obtaining a\r\ndecryption key from inbound requests, decrypting an embedded webshell and saving the decrypted webshell to the\r\nwebserver.\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 2 of 23\n\nTable 1 shows the files created during the iterations of testing activity, along with their filename and the number of\r\nvendors detecting the file as malicious. The delta column shows the time between each testing iteration, which shows\r\nthat the developer was rapidly making changes to these files. Also, there is a noticeable pattern in the filenames with a\r\nmajority of the names being “out2.aspx”, but “out1.aspx”, “in1.aspx” and “w1.aspx” being used as well.\r\nIteration Date Delta (min:sec) SHA256 Filename AV\r\nBase 11/15/17 8:00 4be8a58d4bd73af4d4e2... out1.aspx 3\r\n1 11/15/17 8:02 01:30 23dd0e94999d9f7dc764... in1.aspx 3\r\n2 11/15/17 8:04 02:02 da280d5b0955fc1dce27... out2.aspx 2\r\n3 11/15/17 8:14 09:41 e7963620205f52b5e264... out2.aspx 2\r\n4 11/15/17 8:14 00:55 387738ad7e732ad3b63a... out2.aspx 2\r\n5 11/15/17 8:20 05:18 a443f6918d4ea0caca0b... out2.aspx 0\r\n6 11/15/17 8:21 01:27 bd0d9f267318da819791... out2.aspx 1\r\n7 11/15/17 8:23 02:06 fcecc7392b8a51c215f5... out2.aspx 0\r\n8 11/15/17 8:25 01:18 bc76fea3f9b549799f73... out2.aspx 0\r\n9 11/15/17 8:27 02:16 a6c62217c27a0bc0a5d9... w1.aspx 0\r\n10 11/15/17 8:28 01:22 9fd3672c9d3d43755495... out2.aspx 1\r\n11 11/15/17 8:40 12:05 d3983d0bccd38b6198f9... w1.aspx 0\r\n12 11/15/17 8:42 01:19 5979506165bb489dae08... out2.aspx 0\r\n13 11/15/17 8:43 00:50 3b2546a57b6edf57c7dc... out2.aspx 0\r\n14 11/15/17 8:44 01:00 9ecd1f1761988994511a... out2.aspx 0\r\n15 11/15/17 8:45 01:04 fc35c1b6524969320365... out2.aspx 0\r\n16 11/15/17 8:46 01:27 59155e0db84ca2aa4a4f... out2.aspx 0\r\n17 11/15/17 8:47 00:57 aa8be54babad2c70d51a... out2.aspx 0\r\n18 11/15/17 8:48 00:46 e3f1e7021604e7d7a7a7... out2.aspx 1\r\n19 11/15/17 8:53 05:08 65d744d907c8d69100ba... out2.aspx 1\r\n20 11/15/17 8:56 03:32 672a43ef6914f6090c20... out2.aspx 1\r\n21 11/15/17 9:07 10:08 03e2c6850887702ae70d... out1.aspx 1\r\n22 11/15/17 9:07 00:49 3e0c251962976395fff4... out1.aspx 0\r\n11/15/17 9:09 01:27 3efe6ed1864fa36df9d4... 2222.aspx 0\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 3 of 23\n\nTable 1 Samples associated with OilRig's testing of TwoFace loader shell\r\n  We have included analysis of all the changes made throughout the testing activities in the iterations listed in Table 1\r\nin the Appendix; however, it is important to discuss the more interesting activities we observed during testing. The\r\nmost important observation is the developer systematically removes lines of code until they observe a change in\r\ndetection rate, specifically a decrease to locate the lines of code that are used by security vendors for detection. Once\r\nthey determine the line of code detected, they add the line of code back but in a modified state and look for a change in\r\nthe detection rate, specifically an increase to see if they can determine the specific data within that line of code that is\r\ndetected.\r\nWe see this general process of making changes and monitoring for increases and decreases in detection rate throughout\r\nthe activity. Using this process, the developer was able to first determine that the cause of detection relied on the\r\nencoded and encrypted data for the embedded webshell. The developer was able to determine that detection did not\r\nsolely rely on the embedded webshell. Rather, the detection was based on both the embedded webshell and a line of\r\ncode that allowed an actor to update the embedded payload webshell by writing the encoded and encrypted data to be\r\nused as the embedded payload to the TwoFace loader file. The developer ended testing with a zero-detection rate by\r\nleaving the encoded and encrypted data for the embedded webshell unchanged, but removed the embedded payload\r\nupdate functionality within the TwoFace loader script.\r\nPossible TwoFace++ Embedded Payload\r\nAs you may have noticed, Table 1 has 24 files listed for the 22 iterations of testing, which seems one too many. The\r\nlast file in Table 1, specifically 2222.aspx is not a TwoFace loader sample, rather it is another webshell entirely. It\r\nappears the developers refer to this as DarkShell based on the string in the authentication routine of\r\n“DarkShellPasswordSet”. We are tracking this webshell under the name DarkSeaGreenShell, as the webshell has a\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 4 of 23\n\ntable border color set to “darkseagreen” and DarkShell has already been used to track another malware family.\r\nFigure 2 DarkSeaGreenShell's user interface\r\n \r\nWe believe the 2222.aspx may be a variant of the payload webshell embedded within the TwoFace loader samples seen\r\nin testing activities. We cannot confirm as we have been unable to decrypt the 3DES encrypted payload webshell in the\r\nTwoFace loader scripts seen during testing. However, the 2222.aspx file is 8,213 bytes in size and the decoded\r\nciphertext of the embedded webshell in the TwoFace files is 8,224 bytes in length. While the two differ by 11 bytes, it\r\nis possible the differences in sizes was caused by changes made to the webshell prior to testing. We know a developer\r\nmodified the 2222.aspx file to some extent, as the authentication routine within the webshell suffers from obvious logic\r\nerrors that appear to be the result of a developer attempting to determine what is causing detection.\r\nFor example, the ‘chk’ function seen in the code block below authenticates inbound requests to the webshell, however,\r\nthis function contains several major errors that break the authentication mechanism. As you can see from the code\r\nblock, successful authentication requires the Base64 encoded SHA1 hash of a password in the ‘pass’ variable match\r\nthe hardcoded string “DarkShellPasswordSet.” A successful match is impossible, as there is no SHA1 hash that can be\r\nBase64 encoded to match the “DarkShellPasswordSet” string.\r\n1\r\n2\r\n3\r\nprotected bool chk(string pass)\r\n{\r\n  try\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 5 of 23\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n  {\r\n      System.Security.Cryptography.SHA1 sha = new\r\nSystem.Security.Cryptography.SHA1CryptoServiceProvider();\r\n      byte[] hash = sha.ComputeHash(Encoding.ASCII.GetBytes(pass));\r\n      string aut = Convert.ToBase64String(new\r\nSystem.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(pass)));\r\n      if (aut != \"DarkShellPasswordSet\")\r\n      {       \r\n          this.__VIEWP.BackColor = System.Drawing.Color.Red;\r\n          return false;\r\n      }       \r\n      else    \r\n      {       \r\n          this.__VIEWP.BackColor = System.Drawing.Color.Green;\r\n          return true;\r\n      }       \r\n  }\r\n  catch (Exception ex)\r\n  {\r\n      Label1.Text = ex.Message;\r\n      return false;\r\n  }\r\n}\r\nWe believe the developer made changes to this authentication routine during testing activities. To test its functionality\r\n(and to generate the screenshot in Figure 2), we had to modify the webshell’s code to successfully authenticate. The\r\nchanges to portions of the authentication routine in DarkSeaGreenShell may explain the 11-byte difference in size\r\nbetween the 2222.aspx file and the payload embedded within the TwoFace loader test files.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 6 of 23\n\nThe OilRig threat group continues to test their toolset systematically and methodically prior to use. Based on our\r\nanalysis, the developer used very similar processes to test the TwoFace loader script that we previously saw in the\r\ntesting activities of the Clayslide macros. The process involves testing each file, making modifications to the file,\r\nretesting the newly modified file, and checking for increases and decreases in the detection rate. The testing of the\r\nTwoFace loader script clearly shows the developer attempting to determine exactly what lines of code are causing\r\ndetection. The testing also shows the developer attempting to modify the lines of code that were detected in order to\r\nevade detection while maintaining functionality. At the end of testing, the developer just removed the ability for an\r\nactor to remotely update the embedded payload within the TwoFace loader script. We believe the developer chose to\r\nremove this functionality to evade detection, as an actor could just deploy the embedded payload webshell within the\r\nTwoFace loader script and upload a new TwoFace loader script to satisfy the same functionality.\r\n \r\nAppendix\r\nThe subsections in this appendix will provide details of each iteration of testing of the TwoFace loader script.\r\nAdditionally, we provide our analysis of the changes the developer made in each iteration. We also provide a\r\nscreenshot of the differences made to the TwoFace loader script generated using Github’s unified diffing functionality,\r\nwhere lines of code with red backgrounds were removed during the iteration, the lines of code with a green\r\nbackground were added and the lines of code with a white background remained the same.\r\n  Iteration 1\r\nFiles: 4be8a58d4bd73af4d4e2741a31b30ad16a733ce824afe445277c92ae5de08ab4   vs\r\n23dd0e94999d9f7dc764615f230d24180dc623cf89e06997743d68f51e3ce163\r\nFilenames: out1.aspx vs in1.aspx\r\nDelta: 1 minute 30 seconds\r\nPositives: 3 -\u003e 3\r\nAnalysis:\r\nIn the first iteration, the actor removes the HTML tags that surround the core TwoFace loader code, including the 'Page\r\nLanguage=\"C#\"' header. This did not change the detection rate.\r\nFigure 3 Changes made in iteration 1 of testing\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 7 of 23\n\nIteration 2\r\nFiles: 23dd0e94999d9f7dc764615f230d24180dc623cf89e06997743d68f51e3ce163 vs\r\nda280d5b0955fc1dce27c6fbbbdbe3049949ad75b0d3fb00dc9e736c7ba84668\r\nFilenames: in1.aspx vs out2.aspx\r\nDelta: 2 minutes 2 seconds\r\nPositives: 3 -\u003e 2\r\nAnalysis:\r\nThe developer puts the HTML tags and C# header back into the file, but removes the line that sets the password salt\r\nvariable (\"hnRwONTdZ\") and changes the variable that stores the embedded webshell's Base64 encoded ciphertext to\r\n\"222\". This change lowered the detection rate, suggesting that either the password salt variable line or the embedded\r\nwebshell's encoded ciphertext causes detection.\r\nFigure 4 Changes made in iteration 2 of testing\r\nIteration 3\r\nFiles: da280d5b0955fc1dce27c6fbbbdbe3049949ad75b0d3fb00dc9e736c7ba84668 vs\r\ne7963620205f52b5e2649911acd68d08fcebcbdc7dd312ef73c602f07d730e06\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 9 minutes 41 seconds\r\nPositives: 2 -\u003e 2\r\nAnalysis:\r\nThe developer does nothing more than removing the line that stores the embedded webshell's Base64 encoded\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 8 of 23\n\nciphertext.\r\nFigure 5 Changes made in iteration 3 of testing\r\nIteration 4\r\nFiles: e7963620205f52b5e2649911acd68d08fcebcbdc7dd312ef73c602f07d730e06 vs\r\n387738ad7e732ad3b63af2fd51da311c5d01ffca031230d81ee627221b56ff09\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 55 seconds\r\nPositives: 2 -\u003e 2\r\nAnalysis:\r\nThe developer removes the line that obtains the Base64 encoded password from the inbound request, decodes it and\r\nsaves it to a variable (\"BSfbQohad\").\r\nFigure 6 Changes made in iteration 4 of testing\r\n \r\nIteration 5\r\nFiles: 387738ad7e732ad3b63af2fd51da311c5d01ffca031230d81ee627221b56ff09 vs\r\na443f6918d4ea0caca0bee8afb41e972bc5f9b7b49a1b72e8a254fdb887988ba\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 5 minutes 18 seconds\r\nPositives: 2 -\u003e 0\r\nAnalysis:\r\nThe developer adds the variable (\"NQkRIVFnXc\") used to store the embedded webshell, but assigns it an empty string.\r\nThey also add the line used to obtain the password removed from the previous iteration. The main difference seen in\r\nthis iteration is the fact the developer now has the TwoFace code formatted in a form that looks similar to pretty print.\r\nThese changes lowered the detection rate to 0, which suggests to the developer that the detections are occurring on the\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 9 of 23\n\nembedded webshell's encoded ciphertext.\r\nWe believe the developer formatted the script using pretty print to make it easier to make granular modifications to the\r\nscript in upcoming iterations.\r\nFigure 7 Changes made in iteration 5 of testing\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 10 of 23\n\nIteration 6\r\nFiles: a443f6918d4ea0caca0bee8afb41e972bc5f9b7b49a1b72e8a254fdb887988ba vs\r\nbd0d9f267318da8197913a56f240f0a0152a5ad96acddc85eed97096d42b0479\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 1 minute 27 seconds\r\nPositives: 0 -\u003e 1\r\nAnalysis:\r\nThe developer changes the variable (\"NQkRIVFnXc\") used to store the embedded webshell to the original Base64\r\nencoded ciphertext of the webshell seen in the first testing sample. They also reintroduce the password salt variable\r\n(\"hnRwONTdZ\") with its original value as well. Therefore, the differences between the sample generated in this\r\ntesting iteration compared to the initial file results in only formatting, as the current file is formatted using pretty print\r\nand the original sample was not.\r\nFigure 8 Changes made in iteration 6 of testing\r\n \r\nIteration 7\r\nFiles: bd0d9f267318da8197913a56f240f0a0152a5ad96acddc85eed97096d42b0479 vs\r\nfcecc7392b8a51c215f569bb56044409ceb4ab9beccabb6128e9458add1deac1\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 2 minutes 6 seconds\r\nPositives: 1 -\u003e 0\r\nAnalysis:\r\nThe developer removes the line that sets the password salt variable (\"hnRwONTdZ\") and removes all but the first 4\r\nbytes of the Base64 encoded ciphertext within the variable (\"NQkRIVFnXc\") used to store the embedded webshell.\r\nWe believe the developer is checking to see if the password salt variable/value or the first four bytes of the encoded\r\nciphertext of the webshell were causing detection.\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 11 of 23\n\nFigure 9 Changes made in iteration 7 of testing\r\nIteration 8\r\nFiles: fcecc7392b8a51c215f569bb56044409ceb4ab9beccabb6128e9458add1deac1 vs\r\nbc76fea3f9b549799f73c675a5f141d32c775e6afac53a71c06124dbece65e7c\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 1 minute 18 seconds\r\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nThe developer reintroduces the line that sets the password salt variable (\"hnRwONTdZ\") and its original value and sets\r\nthe variable (\"NQkRIVFnXc\") used to store the embedded webshell to an empty string. These changes suggest to the\r\ndeveloper that detection is not caused by the password salt variable and value, but the detection is part of the encoded\r\nciphertext of the embedded webshell.\r\nFigure 10 Changes made in iteration 8 of testing\r\nIteration 9\r\nFiles: bc76fea3f9b549799f73c675a5f141d32c775e6afac53a71c06124dbece65e7c vs\r\na6c62217c27a0bc0a5d9ea37c71d29049846a3d75b680b9ae74cf5ff498af529\r\nFilenames: out2.aspx vs w1.aspx\r\nDelta: 2 minutes 16 seconds\r\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nThe developer removes all lines of code from the TwoFace loader script except for the line that sets the variable\r\n(\"NQkRIVFnXc\") used to store the embedded webshell to its original value. The detection rate does not increase,\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 12 of 23\n\nwhich tells the developer that the detection is not solely focused on the embedded webshell's encoded ciphertext.\r\nFigure 11 Changes made in iteration 9 of testing\r\nIteration 10\r\nFiles: a6c62217c27a0bc0a5d9ea37c71d29049846a3d75b680b9ae74cf5ff498af529 vs\r\n9fd3672c9d3d43755495e85cead5c6a5d67fab70178250aeb8f01b3dd09f820f\r\nFilenames: w1.aspx vs out2.aspx\r\nDelta: 1 minute 22 seconds\r\nPositives: 0 -\u003e 1\r\nAnalysis:\r\nIn this iteration of testing, the developer reverts all the changes made in the previous iteration by removing the line that\r\nsets the variable (\"NQkRIVFnXc\") used to store the embedded webshell and added all of the lines removed from the\r\nscript. The main change done in this iteration is to initialize the variable (\"NQkRIVFnXc\") used to store the embedded\r\nwebshell on one line and setting it to its original value on another line. The purpose of this change it to see if detection\r\nis caused by initializing the variable and setting its value in one line of code, instead of splitting up into two lines. The\r\ndetection rate increases, suggesting that splitting the variable initialization and variable value setting does not evade\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 13 of 23\n\ndetection.\r\n \r\nFigure 12 Changes made in iteration 10 of testing\r\nIteration 11\r\nFiles: 9fd3672c9d3d43755495e85cead5c6a5d67fab70178250aeb8f01b3dd09f820f vs\r\nd3983d0bccd38b6198f9dcc9d0a0eec46d31ccad0e7b9575e25368e740b51a6a\r\nFilenames: out2.aspx vs w1.aspx\r\nDelta: 12 minutes 5 seconds\r\nPositives: 1 -\u003e 0\r\nAnalysis:\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 14 of 23\n\nThe developer reintroduces the line that sets the variable (\"NQkRIVFnXc\") used to store the embedded webshell to its\r\noriginal value. The developer then removes major portions of the TwoFace loader script, such as:\r\nRemoved line of code used to set password salt variable (\"hnRwONTdZ\") with its original value\r\nRemoved line of code used to get the Base64 encoded password from the inbound request, decode it and saves\r\nit to a variable (\"BSfbQohad\")\r\nRemoved line of code used to compare a hardcoded hash to the SHA1 of the inbound password and password\r\nhash for authentication\r\nRemoved line of code used to obtain the physical path on the IIS server (\"PATH_TRANSLATED\")\r\nRemoved line of code to check the inbound request for the filename (Request.Form[\"n\"]) to write the embedded\r\nwebshell\r\nRemoved line of code to check the inbound request for the data to use to update the embedded webshell within\r\nthe file\r\nRemoved lines of code used to update the embedded webshell within the file\r\nWhat remains of the TwoFace loader script? The developer left the code used to decrypt the embedded webshell and\r\nwrite it to the system. This suggests that the developer is attempting to determine what in the TwoFace loader code that\r\ncoupled with the embedded webshell is causing detection. The detection rate dropped to 0, which suggests that the\r\ncode used to write the embedded webshell to the system is not responsible for detection, rather portions of the removed\r\nlines cause detection.\r\n \r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 15 of 23\n\nFigure 13 Changes made in iteration 11 of testing\r\nIteration 12\r\nFiles: d3983d0bccd38b6198f9dcc9d0a0eec46d31ccad0e7b9575e25368e740b51a6a vs\r\n5979506165bb489dae0826daa8051588f3944a711bb5c9bdff7f5cfe5b616ea3\r\nFilenames: w1.aspx vs out2.aspx\r\nDelta: 1 minute 19 seconds\r\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nIn this iteration, the developer reintroduced the following portions of the TwoFace loader script that were removed in\r\nthe previous iteration, specifically:\r\nAdded line of code used to set password salt variable (\"hnRwONTdZ\") with its original value\r\nAdded line of code used to get the base64 encoded password from the inbound request, decode it and saves it to\r\na variable (\"BSfbQohad\")\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 16 of 23\n\nAdded line of code used to compare a hardcoded hash to the SHA1 of the inbound password and password hash\r\nfor authentication\r\nAdded line of code used to obtain the physical path on the IIS server (\"PATH_TRANSLATED\")\r\nAdded line of code to check the inbound request for the filename (Request.Form[\"n\"]) to write the embedded\r\nwebshell\r\nThe developer omitted the lines of code responsible for checking the inbound request for data and the lines of code to\r\nupdate the embedded webshell within the file. The detection rate did not increase, suggesting that the developer\r\ndetermined that the detection is occurring in the code that allows for remote updating of the embedded webshell.\r\nFigure 14 Changes made in iteration 12 of testing\r\nIteration 13\r\nFiles: 5979506165bb489dae0826daa8051588f3944a711bb5c9bdff7f5cfe5b616ea3 vs\r\n3b2546a57b6edf57c7dc3f062a79a6f18e4dbb78570eede232431b36b5c51089\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 50 seconds\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 17 of 23\n\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nUsing insight into the cause for detection from the previous iteration, the developer slowly reintroduces portions of the\r\ncode used to remotely update the embedded webshell. In this iteration, the developer reintroduces the if statement that\r\nchecks the inbound request for the data to use to update the embedded webshell within the file. The detection rate did\r\nnot change; therefore, the developer knows that this line is not causing detection.\r\nFigure 15 Changes made in iteration 13 of testing\r\nIteration 14\r\nFiles: 3b2546a57b6edf57c7dc3f062a79a6f18e4dbb78570eede232431b36b5c51089 vs\r\n9ecd1f1761988994511ade39e38f22e28c9200bea3b6a1194de032d3877da757\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 1 minute\r\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nThe developer adds another line from the code used to update the embedded webshell. The line added in this iteration\r\nis responsible for reading the contents of the TwoFace loader webshell (path stored in 'LlGKKnqJdfya') and stores the\r\ncontents in a variable ('cXUIJeCnEz'). The detection rate stayed the same, which suggests to the developer that this\r\nline of code is not causing detection.\r\nFigure 16 Changes made in iteration 14 of testing\r\nIteration 15\r\nFiles: 9ecd1f1761988994511ade39e38f22e28c9200bea3b6a1194de032d3877da757 vs\r\nfc35c1b652496932036544758d43d629696e7f33e547638b90dc9a0a0fbfd755\r\nFilenames: out2.aspx vs out2.aspx\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 18 of 23\n\nDelta: 1 minute 4 seconds\r\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nThe developer adds another line from the code used to update the embedded webshell. The line added in this iteration\r\ncreates a variable that it stores a string. The string stored in the variable contains code used in TwoFace loader to\r\ninitialize the variable ('NQkRIVFnXc') that stores the embedded webshell. Adding this line of code to the file did not\r\nchange the detection rate, which suggests to the developer that this code does not cause detection.\r\n \r\nFigure 17 Changes made in iteration 15 of testing\r\nIteration 16\r\nFiles: fc35c1b652496932036544758d43d629696e7f33e547638b90dc9a0a0fbfd755 vs\r\n59155e0db84ca2aa4a4fc0c0a4f7a71446bb963e2544f131c81aa902f7c3b38d\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 1 minute 27 seconds\r\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nThe developer adds yet another line from the update code. The added line initializes a variable that stores the length of\r\nthe string stored in the variable added in the previous iteration. The detection rate did not increase based on the\r\naddition of this line.\r\nFigure 18 Changes made in iteration 16 of testing\r\nIteration 17\r\nFiles: 59155e0db84ca2aa4a4fc0c0a4f7a71446bb963e2544f131c81aa902f7c3b38d vs\r\naa8be54babad2c70d51a0146fd42c947f5fc0705bc9edc237f61a05275cf2f31\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 58 seconds\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 19 of 23\n\nPositives: 0 -\u003e 0\r\nAnalysis:\r\nThe developer adds two more lines from the update code. The first line added finds the index of the double quote\r\ncharacter in the string in the line of code introduced two iterations prior. The second line of code essentially replaces\r\nthe embedded webshell read in from the TwoFace loader file with the data provided from the inbound request. The\r\naddition of these two lines did not change the detection rate.\r\nFigure 19 Changes made in iteration 17 of testing\r\nIteration 18\r\nFiles: aa8be54babad2c70d51a0146fd42c947f5fc0705bc9edc237f61a05275cf2f31 vs\r\ne3f1e7021604e7d7a7a7c500c2564abb5b3a9c278bd7cef131e650654ef796bd\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 46 seconds\r\nPositives: 0 -\u003e 1\r\nAnalysis:\r\nThe developer adds one more line from the update code, which is responsible for writing the variable that contains the\r\nTwoFace loader script with its newly updated embedded webshell to a file. This essentially updates the TwoFace\r\nloader file to include a new embedded webshell. The addition of this line of code increased the detection rate, which\r\nlets the developer know that detection of the TwoFace loader stems from this line of code.\r\nFigure 20 Changes made in iteration 18 of testing\r\nIteration 19\r\nFiles: e3f1e7021604e7d7a7a7c500c2564abb5b3a9c278bd7cef131e650654ef796bd vs\r\n65d744d907c8d69100bad5ce14ad780d57688eb6f0f1276bbf956711adfcea99\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 5 minutes 8 seconds\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 20 of 23\n\nPositives: 1 -\u003e 1\r\nAnalysis:\r\nThe developer now starts making changes to the line of code that writes the new TwoFace loader script to a file. In this\r\niteration, the developer does nothing more than concatenating the 2 character to the data before writing it to the file.\r\nWe believe the developer is testing to see if detection is based on the exact line of code, but this modification did not\r\nchange the detection rate.\r\nFigure 21 Changes made in iteration 19 of testing\r\nIteration 20\r\nFiles: 65d744d907c8d69100bad5ce14ad780d57688eb6f0f1276bbf956711adfcea99 vs\r\n672a43ef6914f6090c20c19348af1bfed05919177f1bfb03dc8dbde0c8bbd49d\r\nFilenames: out2.aspx vs out2.aspx\r\nDelta: 3 minutes 32 seconds\r\nPositives: 1 -\u003e 1\r\nAnalysis:\r\nThe developer adds two lines of code before and two lines of code after the line that writes the new TwoFace loader\r\nscript to the file. The developer had already determined that the lines of code added in this iteration did not cause an\r\nincrease in detection, as the lines of code added is the same as introduced in iteration 15. These additions did not\r\nchange the detection rate, suggesting that padding the offending line of code with additional lines of code did not affect\r\nthe detection rate.\r\nFigure 22 Changes made in iteration 20 of testing\r\nIteration 21\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 21 of 23\n\nFiles: 672a43ef6914f6090c20c19348af1bfed05919177f1bfb03dc8dbde0c8bbd49d vs\r\n03e2c6850887702ae70db57582653d7c31c6f92d116746c610d379014a5ff4a0\r\nFilenames: out2.aspx vs out1.aspx\r\nDelta: 10 minutes 8 seconds\r\nPositives: 1 -\u003e 1\r\nAnalysis:\r\nThe developer removes the four lines of code added in the previous iteration, as well as several newlines between lines\r\nof code earlier in the TwoFace loader script. These changes did not affect the detection rate.\r\nFigure 23 Changes made in iteration 21 of testing\r\nIteration 22\r\nFiles: 03e2c6850887702ae70db57582653d7c31c6f92d116746c610d379014a5ff4a0 vs\r\n3e0c251962976395fff489a985290afe02175baf0cdf3d14eb3e01b3821414e9\r\nFilenames: out1.aspx vs out1.aspx\r\nDelta: 49 seconds\r\nPositives: 1 -\u003e 0\r\nAnalysis:\r\nThe developer completely removes the update code from the TwoFace loader script. This change brings the detection\r\nrate back down to 0.\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 22 of 23\n\nFigure 24 Changes made in iteration 22 of testing\r\nSource: https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nhttps://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/" ], "report_names": [ "unit42-oilrig-performs-tests-twoface-webshell" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434341, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1655e090c52d870c8bb518408742fc5e6cead70b.pdf", "text": "https://archive.orkl.eu/1655e090c52d870c8bb518408742fc5e6cead70b.txt", "img": "https://archive.orkl.eu/1655e090c52d870c8bb518408742fc5e6cead70b.jpg" } }