Palo Alto researchers suggest that the malicious webshell known as TwoFace could be linked to the OilRig threat group.
Palo Alto researchers suggest that the malicious webshell known as TwoFace could be linked to the OilRig threat group.

An analysis of a recently discovered webshell used to harvest credentials from an unnamed Middle Eastern organization has unearthed a complex malicious infrastructure that appears to be targeting Israeli institutions and may possibly be linked to the Iranian APT group OilRig, according to researchers.

The webshell, called TwoFace, was discovered by Palo Alto Networks' Unit 42 threat intelligence team earlier this year. In a report filed last July, Palo Alto stated that the webshell had been actively operating on a specific organization's network since at least June 2016.

TwoFace was designed to operate on web servers that support Microsoft's open-source web application framework ASP.NET, and is so named because it features two distinct components – its primary payload, and a loader whose main mission is to implant the payload onto the infected web server. The final payload is capable of executing an application or command, uploading a file to or downloading a file from the server, uploading data to or deleting data from TEMP folder files, and reviewing or setting files' MAC timestamps.

In its July report, Palo Alto noted that the webshell received commands from five IP addresses – likely all compromised – from four different countries. Much of the malicious activity involved using the Mimikatz post-exploitation tool to collect and save the passwords of accounts that were logged into the system, before ultimately exfiltrating them. The actors also leveraged TwoFace to download additional webshells and move laterally around the infected organization's other servers.

In the weeks that followed, Palo Alto learned even more about the presumably compromised IP addresses linked to TwoFace, the company revealed this week in a new blog post.

Continue Reading Below

For instance, researchers looked into the passive DNS entries for a TwoFace IP address that was traced to France. This inquiry turned up fraudulent domain names and websites that were designed to impersonate the log-in portals of genuine organizations, in order to trick visitors into entering their credentials so they could be harvested for malicious use. 

The organizations being imitated were all either based in Israel or exhibited strong Israeli connections, including the Institute of National Security Studies think tank, Tel Aviv University, consulting firm Macros Advisory Partners, real estate and property management company Tidhar Group, telecom firm Bezeq International, and the Hebrew University of Jerusalem.

"Credential harvesters in general are not uncommon, but it is significant to have a grouping of region- and company-specific harvesters. This grouping leads us to believe that this adversary is likely to have had a specific mission to accomplish, which involved breaching specific organizations," states the Unit 42 blog post, co-authored by threat intelligence analysts Robert Falcone and Bryan Lee. "And it is highly unlikely that it is a coincidence that these specifically designed spoofing sites were on the same infrastructure as TwoFace when both target the same geopolitical region."

Researchers also found links between TwoFace and five other webshells, including one called RunningBee, which was found hosted on an unnamed Middle Eastern educational institution. A TwoFace IP address, traced to the U.S. and owned by a Middle Eastern nation-state's Ministry of Oil, was used to upload post-exploitation tools to the RunningBee shell.

While investigating four other webshells tied to TwoFace, Unit 42 was also able to uncover a remote connection tool known as PuTTY Link (plink) and a custom Microsoft IIS (Internet Information Services) web server backdoor called RGDoor.

"We believe the threat actors may have used plink to connect to additional systems on the compromised network after obtaining legitimate credentials using a tool such as Mimikatz," the blog post reported. "RGDoor is an HTTP module that the threat actors are likely loading into the IIS web server to maintain an additional, backup access point should the compromised organization detect and remediate the installed webshell...from the server."

The multi-pronged infrastructure tied to TwoFace hints at an actor with significant resources. And that actor potentially could be OilRig, according to Unit 42 researchers. One key clue: a specific version of the Mimikatz tool that was uploaded to an institution infected with the TwoFace shell was also observed in use during an investigation of OilRig APT activities.

"While we cannot be absolutely certain that this is the same adversary in both attacks, we are able to ascertain that this specific entity does have access to OilRig tools and also has access to a very specific sample of Mimikatz only found in this attack infrastructure," the blog post states.

In an email interview with SC Media, Christopher Budd, senior threat communications manager at Palo Alto Networks, provided deeper context regarding the OilRig group and how it could be connected to TwoFace.

"We've seen previously that OilRig attacks are highly targeted spear phishing attacks that use malicious Microsoft Office documents to deliver malware. We have named the family of malicious documents used “Clayside.” We have found Clayside documents dropping malware we've named “Helminth,” said Budd. "In the latest blog, we do note that 'one possible scenario of how TwoFace and OilRig are used in conjunction could be where the adversary uses the ClaySlide documents to deliver Helminth, which is then used as an initial landing point or beachhead into the target's network. From there, the adversary may use the initial ingress point and its corresponding permissions to install the TwoFace webshell on accessible systems.'”

Palo Alto Network also notes that TwoFace and OilRig share many of the same geographic targets. Additionally, one of the passwords needed to interact with the aforementioned RunningBee shell is the same one used for webshells observed an Iranian industrial cyberespionage campaign that Cylance described in a 2014 report as Operation Cleaver.

"As we have continued our research into operations in the Middle East, we are beginning to uncover more and more overlaps between the various adversary groups and campaigns outlined by us and others in the public domain," the Unit 42 blog post concludes. "In this incident, we were able to follow a trail starting from a single webshell to a bevy of compromised sites, credential harvesters, post-exploitation tools, and even an operational overlap with what we originally thought was an unrelated attack campaign. The Middle East region has proven to be a hotbed of threat activity in recent times, with continued acceleration of pacing as well as development in the tactics and techniques used."