Open Hunting - Threat Library

Openhunting Threat Library

TURNEDUP

TURNEDUP, Notestuk

(Type: Reconnaissance, Backdoor, Info stealer, Exfiltration)

(FireEye) Backdoor capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information.

[News Analysis] Trends:

Total Trend: 4

Trend Per Year

2017

2018

2019

Trend Per Month

Sep 2017

Apr 2018

Mar 2019

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

1/113

privilege escalation

2/96

defense evasion

1/184

credential access

0/63

discovery

1/44

lateral movement

0/22

collection

1/37

command and control

1/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 Command And Scripting Interpreter : Windows Command Shell	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder T1055.004 Process Injection : Asynchronous Procedure Call	T1055.004 Process Injection : Asynchronous Procedure Call		T1082 System Information Discovery		T1113 Screen Capture	T1105 Ingress Tool Transfer

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

2019-03-27 by Security Response Attack Investigation Team from Symantec

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

2019-03-27 by Critical Attack Discovery and Intelligence Team from Symantec

New ‘Early Bird’ Code Injection Technique Discovered

2018-04-11 by Hod Gavriel from Cyberbit

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

2017-09-20 by Jacqueline O’Leary from FireEye

Basic Information (Credit @etda.or.th)

Tool: TURNEDUP

Names: TURNEDUP, Notestuk

Description: (FireEye) Backdoor capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information.

Category: Malware

Type: Reconnaissance, Backdoor, Info stealer, Exfiltration

Information: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

Mitre-attack: https://attack.mitre.org/software/S0199/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:TURNEDUP

Last-card-change: 2022-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL turnedup is capable of creating a reverse shell.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER turnedup is capable of writing to a registry run key to establish.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER turnedup is capable of writing to a registry run key to establish. T1055.004 PROCESS INJECTION : ASYNCHRONOUS PROCEDURE CALL turnedup is capable of injecting code into the apc queue of a created rundll32 process as part of an "early bird injection."	T1055.004 PROCESS INJECTION : ASYNCHRONOUS PROCEDURE CALL turnedup is capable of injecting code into the apc queue of a created rundll32 process as part of an "early bird injection."		T1082 SYSTEM INFORMATION DISCOVERY turnedup is capable of gathering system information.		T1113 SCREEN CAPTURE turnedup is capable of taking screenshots.	T1105 INGRESS TOOL TRANSFER turnedup is capable of downloading additional files.