Register to stream ATT&CKcon 2.0 October 29-30


TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

ID: S0199
Platforms: Windows
Contributors: Christiaan Beek, @ChristiaanBeek, Ryan Becwar
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface TURNEDUP is capable of creating a reverse shell. [1]
Enterprise T1055 Process Injection TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection." [3]
Enterprise T1060 Registry Run Keys / Startup Folder TURNEDUP is capable of writing to a Registry Run key to establish. [3]
Enterprise T1105 Remote File Copy TURNEDUP is capable of downloading additional files. [1]
Enterprise T1113 Screen Capture TURNEDUP is capable of taking screenshots. [1]
Enterprise T1082 System Information Discovery TURNEDUP is capable of gathering system information. [1]

Groups That Use This Software

ID Name References
G0064 APT33 [1] [2] [4]