TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

ID: S0199
Platforms: Windows
Contributors: Christiaan Beek, @ChristiaanBeek, Ryan Becwar
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface TURNEDUP is capable of creating a reverse shell.[1]
Enterprise T1055 Process Injection TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3]
Enterprise T1060 Registry Run Keys / Startup Folder TURNEDUP is capable of writing to a Registry Run key to establish.[3]
Enterprise T1105 Remote File Copy TURNEDUP is capable of downloading additional files.[1]
Enterprise T1113 Screen Capture TURNEDUP is capable of taking screenshots.[1]
Enterprise T1082 System Information Discovery TURNEDUP is capable of gathering system information.[1]


Groups that use this software: