TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]
ID: S0199
Type: MALWARE
Platforms: Windows
Contributors: Christiaan Beek, @ChristiaanBeek, Ryan Becwar
Version: 1.0
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1059 | Command-Line Interface | |
| Enterprise | T1055 | Process Injection |
TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3] |
| Enterprise | T1060 | Registry Run Keys / Startup Folder |
TURNEDUP is capable of writing to a Registry Run key to establish.[3] |
| Enterprise | T1105 | Remote File Copy | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1082 | System Information Discovery |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | [1] [2] [4] |
References
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.