TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

ID: S0199
Platforms: Windows
Contributors: Christiaan Beek, @ChristiaanBeek; Ryan Becwar
Version: 1.1
Created: 18 April 2018
Last Modified: 09 February 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TURNEDUP is capable of writing to a Registry Run key to establish.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TURNEDUP is capable of creating a reverse shell.[1]

Enterprise T1105 Ingress Tool Transfer

TURNEDUP is capable of downloading additional files.[1]

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3]

Enterprise T1113 Screen Capture

TURNEDUP is capable of taking screenshots.[1]

Enterprise T1082 System Information Discovery

TURNEDUP is capable of gathering system information.[1]

Groups That Use This Software

ID Name References
G0064 APT33