Malware
TwoFace
aka Minion · HighShell · HyperShell · SEASHARPEE
According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET.
TwoFace, also known as Minion, HighShell, HyperShell, SEASHARPEE, is a ASP malware family operated by APT27, APT34 and others.
Background
Unit 42 describes TwoFace as a two-stage (loader plus payload) web shell written in C# and designed to run on ASP.NET web servers. The loader stage was given legitimate-looking, expected content that renders when someone visits the shell in a browser, most likely to avoid drawing attention. Its code relies on obfuscated variable names, and the embedded payload is both encoded and encrypted. Operators interact with the loader by sending HTTP POST requests to the compromised server.
The second-stage web shell, referred to as the payload, sits inside the loader in encrypted form and provides the additional capabilities. When an operator wants to act on the remote server, they supply data that the loader uses to adjust a decryption key it carries, which then decrypts the embedded TwoFace payload. The payload's supported commands include running programs, uploading, downloading, and deleting files, and altering MAC timestamps.
Source: Malpedia (Fraunhofer FKIE).