TURNEDUP

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

ID: S0199
Type: MALWARE
Platforms: Windows
Contributors: Christiaan Beek, @ChristiaanBeek, Ryan Becwar
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

TURNEDUP is capable of creating a reverse shell.[1]

Enterprise T1055 Process Injection

TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3]

Enterprise T1060 Registry Run Keys / Startup Folder

TURNEDUP is capable of writing to a Registry Run key to establish.[3]

Enterprise T1105 Remote File Copy

TURNEDUP is capable of downloading additional files.[1]

Enterprise T1113 Screen Capture

TURNEDUP is capable of taking screenshots.[1]

Enterprise T1082 System Information Discovery

TURNEDUP is capable of gathering system information.[1]

Groups That Use This Software

ID Name References
G0064 APT33 [1] [2] [4]

References