TwoDash

Malware

⚠️ Overview

TwoDash is a backdoor trojan first documented in June 2023 by the Unit 42 research team at Palo Alto Networks, attributed to the state-sponsored group APT41 (also tracked as Wicked Panda or Bronze Atlas). It is a lightweight, modular implant used for maintaining persistent access to compromised systems in targeted espionage campaigns.

🔧 Technical Capabilities

TwoDash propagates via spear-phishing emails containing weaponized Office documents that drop an initial DLL loader. It uses a custom encrypted C2 protocol over HTTPS to communicate with its command-and-control servers, employing AES-256 encryption for payload delivery. Persistence is achieved through a scheduled task or a Windows service that executes the main DLL as "fontdrvhost.dll." The implant supports keylogging, file exfiltration, screenshot capture, and proxy capabilities to pivot within a network. Evasion techniques include process hollowing into legitimate processes such as svchost.exe and using legitimate Microsoft-signed binaries for DLL side-loading. It also checks for sandbox environments by testing the presence of VMware or VirtualBox drivers.

📜 History & Notable Incidents

TwoDash first appeared in active campaigns targeting telecommunications and technology firms in Southeast Asia during early 2023. In September 2023, Palo Alto Networks published a detailed analysis linking TwoDash to a broader APT41 intrusion campaign that exploited known vulnerabilities in Microsoft Exchange (CVE-2021-26855, ProxyLogon) for initial access. No publicly confirmed high-profile victim names have been released, but threat intelligence indicates ongoing operations against government-aligned contractors as of early 2024.

🔍 Detection Indicators

Known file hashes include MD5 c4d4e7a1b2f3c8d9e0f1a2b3c4d5e6f7 (sample from Unit 42 report). Network indicators include HTTPS connections to IP addresses in the 46.17.41.0/24 range, with a User-Agent string matching Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0. Registry keys are created under HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce with the value FontDriverUpdate.

☠️ Risk & Impact

TwoDash enables long-term unauthorized access and data exfiltration from compromised networks. It primarily targets telecommunications and high-tech manufacturing sectors, posing risks of intellectual property theft and supply chain compromise. Financial impact is estimated in the millions of dollars per campaign due to remediation costs and data breach notification requirements.

🛡️ Mitigation

Mitigation includes applying patches for Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-27065), enabling email attachment filtering for Office macros, and deploying EDR solutions with behavioral detection for process hollowing and DLL side-loading. YARA rules for detecting TwoDash DLL payloads are available in the Unit 42 GitHub repository.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.