Contributors: Christiaan Beek, @ChristiaanBeek, Ryan Becwar
|Enterprise||T1059||Command-Line Interface||TURNEDUP is capable of creating a reverse shell. |
|Enterprise||T1055||Process Injection||TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection." |
|Enterprise||T1060||Registry Run Keys / Startup Folder||TURNEDUP is capable of writing to a Registry Run key to establish. |
|Enterprise||T1105||Remote File Copy||TURNEDUP is capable of downloading additional files. |
|Enterprise||T1113||Screen Capture||TURNEDUP is capable of taking screenshots. |
|Enterprise||T1082||System Information Discovery||TURNEDUP is capable of gathering system information. |
Groups That Use This Software
|G0064||APT33||  |
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.