TURNEDUP

TURNEDUP is a non-public backdoor. It has been dropped by APT33's DROPSHOT malware (also known as Stonedrill). [1] [2]

ID: S0199
Type: MALWARE
Contributors: Christiaan Beek, @ChristiaanBeek; Ryan Becwar

Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceTURNEDUP is capable of creating a reverse shell.[1]
EnterpriseT1055Process InjectionTURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."[3]
EnterpriseT1060Registry Run Keys / Startup FolderTURNEDUP is capable of writing to a Registry Run key to establish.[3]
EnterpriseT1105Remote File CopyTURNEDUP is capable of downloading additional files.[1]
EnterpriseT1113Screen CaptureTURNEDUP is capable of taking screenshots.[1]
EnterpriseT1082System Information DiscoveryTURNEDUP is capable of gathering system information.[1]

Groups

Groups that use this software:

APT33

References