TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]
ID: S0199
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Contributors: Christiaan Beek, @ChristiaanBeek; Ryan Becwar
Version: 1.1
Created: 18 April 2018
Last Modified: 25 April 2025
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
TURNEDUP is capable of writing to a Registry Run key to establish.[3] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3] |
| Enterprise | T1113 | Screen Capture | ||
| Enterprise | T1082 | System Information Discovery | ||
Groups That Use This Software
References
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.