OilRig tested a new variant of their TwoFace webshell to determine what parts of their code triggered antivirus detection.

Who is behind the attack?

The activity is attributed to OilRig, a threat group known for cyber-espionage and targeted campaigns, often linked to the Middle East.

What was the goal of the attack?

The goal was not an active breach, but to refine and obfuscate their tools — especially the TwoFace webshell — to ensure they can bypass security systems in future operations.

Was this a widespread attack?

No, this was a controlled test in a likely development environment. However, it signals preparations for broader deployment.

What data or systems were targeted?

No direct targeting occurred during testing, but the tools in development are designed to provide remote control over web servers.

How was the testing carried out?

The attackers repeatedly modified their loader script and monitored detection rates from antivirus engines, adjusting the code to find what elements triggered detection.

Why are these systems attractive to attackers?

Web servers offer persistent, often under-monitored access points that allow attackers to move laterally within a network once breached.

What should organizations do to stay protected?

Organizations should monitor for suspicious ASPX files, implement behavior-based webshell detection, and ensure their security tools are tuned to recognize encoded or encrypted payloads.

Is this something that could affect the general public?

While this specific testing activity is targeted and technical, it reflects broader threats that could eventually affect anyone using compromised web services.

Threats Feed|OilRig|Last Updated 14/07/2025|AuthorCertfa Radar|Publish Date11/12/2017

OilRig Perfects Evasion Techniques with TwoFace Webshell

Actor Motivations: Espionage
Attack Vectors: Backdoor,Malware
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

Unit 42 monitored OilRig's testing of the TwoFace webshell, specifically its TwoFace++ variant, to evade detection by security tools. Analysis revealed that OilRig's developers systematically modified the webshell's loader script to reduce detection rates, ultimately achieving zero detection by altering code related to the embedded payload's update functionality. The testing involved decoding and encrypting webshell data and frequent code alterations to pinpoint and circumvent security measures. Additionally, another webshell, named DarkSeaGreenShell, was discovered during these tests.

Reference and Credit: Palo Alto Network - December 2017

OilRig Performs Tests on the TwoFace Webshell

Extracted IOCs

03e2c6850887702ae70db57582653d7c31c6f92d116746c610d379014a5ff4a0
23dd0e94999d9f7dc764615f230d24180dc623cf89e06997743d68f51e3ce163
387738ad7e732ad3b63af2fd51da311c5d01ffca031230d81ee627221b56ff09
3b2546a57b6edf57c7dc3f062a79a6f18e4dbb78570eede232431b36b5c51089
3e0c251962976395fff489a985290afe02175baf0cdf3d14eb3e01b3821414e9
4be8a58d4bd73af4d4e2741a31b30ad16a733ce824afe445277c92ae5de08ab4
59155e0db84ca2aa4a4fc0c0a4f7a71446bb963e2544f131c81aa902f7c3b38d
5979506165bb489dae0826daa8051588f3944a711bb5c9bdff7f5cfe5b616ea3
65d744d907c8d69100bad5ce14ad780d57688eb6f0f1276bbf956711adfcea99
672a43ef6914f6090c20c19348af1bfed05919177f1bfb03dc8dbde0c8bbd49d
9ecd1f1761988994511ade39e38f22e28c9200bea3b6a1194de032d3877da757
9fd3672c9d3d43755495e85cead5c6a5d67fab70178250aeb8f01b3dd09f820f
a443f6918d4ea0caca0bee8afb41e972bc5f9b7b49a1b72e8a254fdb887988ba
a6c62217c27a0bc0a5d9ea37c71d29049846a3d75b680b9ae74cf5ff498af529
aa8be54babad2c70d51a0146fd42c947f5fc0705bc9edc237f61a05275cf2f31
bc76fea3f9b549799f73c675a5f141d32c775e6afac53a71c06124dbece65e7c
bd0d9f267318da8197913a56f240f0a0152a5ad96acddc85eed97096d42b0479
d3983d0bccd38b6198f9dcc9d0a0eec46d31ccad0e7b9575e25368e740b51a6a
da280d5b0955fc1dce27c6fbbbdbe3049949ad75b0d3fb00dc9e736c7ba84668
e3f1e7021604e7d7a7a7c500c2564abb5b3a9c278bd7cef131e650654ef796bd
e7963620205f52b5e2649911acd68d08fcebcbdc7dd312ef73c602f07d730e06
fc35c1b652496932036544758d43d629696e7f33e547638b90dc9a0a0fbfd755
fcecc7392b8a51c215f569bb56044409ceb4ab9beccabb6128e9458add1deac1

download

Tip: 23 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 23 file hash) to this threat have been found.

FAQs

FAQ: Understanding OilRig’s Testing of the TwoFace++ Webshell

: OilRig tested a new variant of their TwoFace webshell to determine what parts of their code triggered antivirus detection.
: The activity is attributed to OilRig, a threat group known for cyber-espionage and targeted campaigns, often linked to the Middle East.
: The goal was not an active breach, but to refine and obfuscate their tools — especially the TwoFace webshell — to ensure they can bypass security systems in future operations.
: No, this was a controlled test in a likely development environment. However, it signals preparations for broader deployment.
: No direct targeting occurred during testing, but the tools in development are designed to provide remote control over web servers.
: The attackers repeatedly modified their loader script and monitored detection rates from antivirus engines, adjusting the code to find what elements triggered detection.
: Web servers offer persistent, often under-monitored access points that allow attackers to move laterally within a network once breached.
: Organizations should monitor for suspicious ASPX files, implement behavior-based webshell detection, and ensure their security tools are tuned to recognize encoded or encrypted payloads.
: While this specific testing activity is targeted and technical, it reflects broader threats that could eventually affect anyone using compromised web services.

About Affiliation

OilRig

Associate threats