⚠️ Overview

TURNEDUP is a backdoor malware family attributed to the North Korean threat group Lazarus (also known as HIDDEN COBRA), first publicly documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in joint advisory AA21-048A on February 17, 2021. It is categorized as a remote access trojan (RAT) designed for persistent surveillance, data exfiltration, and command execution on compromised Windows systems, primarily targeting defense, aerospace, and government entities globally.

🔧 Technical Capabilities

TURNEDUP uses spear-phishing emails with malicious Word documents or executables as initial infection vectors, often exploiting CVE-2017-11882 (Microsoft Office equation editor vulnerability) to drop the payload. Once installed, it establishes persistence via scheduled tasks or registry Run keys, and communicates with command-and-control (C2) servers over HTTP using encrypted traffic mimicking legitimate API calls to googleapis[.]com or cloudfront[.]net domains. The backdoor collects system information, keystrokes, clipboard data, and screenshots, and can upload files, download additional modules, or execute arbitrary shell commands. It employs evasion techniques such as process hollowing, DLL side-loading (e.g., using legitimate MSCOREE.DLL), and obfuscation of strings with simple XOR and Base64 encoding. C2 communication uses a custom protocol that includes a hardcoded User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 and beacon intervals ranging from 30 seconds to 5 minutes.

📜 History & Notable Incidents

First observed in 2020, TURNEDUP was used in campaigns against defense contractors in South Korea and the United States during 2020–2021, with CISA linking it to the broader Operation DreamJob campaign. Notable incidents include targeting aerospace company Lockheed Martin’s supply chain and the Korean Atomic Energy Research Institute (KAERI). In April 2022, the FBI attributed a TURNEDUP variant to the Lazarus subgroup BlueNoroff, which conducted crypto-currency theft campaigns. No CVEs are directly embedded in TURNEDUP itself, but it leverages CVE-2017-11882 and CVE-2018-0824 (Microsoft Office memory corruption). No law enforcement takedowns have been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA-256 9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f (example from CISA report) and MD5 4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a (specific samples vary per campaign). Behavioral indicators include outbound HTTP traffic to rare subdomains of legitimate cloud providers (e.g., malicious123.cloudfront.net), and creation of scheduled tasks named WindowsUpdate or AdobeFlashUpdate. Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with key names like SysHelper are common. Network IOCs include C2 IP addresses from AWS EC2 ranges (e.g., 54.xxx.xxx.xxx) and domains using .com or .net TLDs mimicking software update services.

☠️ Risk & Impact

TURNEDUP enables persistent cyber-espionage, allowing threat actors to exfiltrate sensitive intellectual property, classified defense data, and financial information, leading to multi-million dollar losses and national security breaches. The primary impacted sectors are defense, aerospace, energy, and cryptocurrency finance firms, with particular focus on South Korea and the United States. According to CISA, the malware has been used in campaigns that disrupted supply chain operations and led to the theft of military communications technology.

🛡️ Mitigation

Organizations should implement application whitelisting, enforce multi-factor authentication, and apply Microsoft security updates for CVE-2017-11882 and CVE-2018-0824. CISA recommends deploying YARA rules from advisory AA21-048A and blocking outbound connections to known malicious IPs and domains listed in the HIDDEN COBRA indicators of compromise. Endpoint detection response (EDR) tools with behavioral analysis can detect TURNEDUP’s DLL side-loading and scheduled task creation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.