TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
TURNEDUP is capable of writing to a Registry Run key to establish.[3] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3] |
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1082 | System Information Discovery |