TwoFace is a webshell, which was recently discovered on a server that belongs to a Middle Eastern company during a routine check. After experts took a closer look into it, they found that TwoFace has likely been operating on the infected computer for over one whole year before they spotted it. Naturally, this raised great concerns. It is believed that the main goal of TwoFace is to collect sensitive data such as usernames and passwords of the employees of the company, but it is being speculated that the attackers might have gone further and had the capability to download data from the servers as well as upload files. Furthermore, TwoFace could replicate and propagate itself to other systems connected to the network of the patient-zero computer.
It was not just this Middle Eastern company that has fallen victim to TwoFace. The news came out that Isreali institutions have become targets of the TwoFace webshell too. Other companies located in Israel dealing with properties, telecommunication, and education reported becoming victims of TwoFace, also. This leads malware experts to consider the involvement of the infamous Iranian hacker group OilRig in these attacks.
There is no information or clues regarding the vulnerabilities that the attacker exploited to plant the TwoFace webshell, but they have certainly done a good job at staying anonymous. They have covered their tracks by using remote servers located in Germany, France, and the US.
Whoever is behind the TwoFace attacks, they have done a good job staying under the radar for over a year, and it is yet to be known how much damage this nasty threat has caused exactly.