Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.
According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed.
“Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server,” the Threat Hunter Team said in a report shared with The Hacker News.
“To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months.”
The development marks the first publicly documented instance of the threat actors abusing Microsoft’s Traversal Using Relays around NAT (TURN) relay infrastructure.
It’s suspected the threat actor obtained initial access by exploiting a vulnerability in either an SQL or MS-SQL server, although the exact nature of the flaw is unknown. It’s also possible that the access was acquired from an initial access broker (IAB).
Initial malicious activity on the victim network began in December 2025, with the attackers running a PowerShell command to drop a ZIP archive under the pretext of a tech support hotfix. The ZIP file responsible for launching a DLL side-loading attack, which then runs a rogue DLL to conduct reconnaissance, set up persistence, and silence security software using a Huawei driver (“HWAuidoOs2Ec.sys”).
This is achieved by means of an attack technique called bring your own vulnerable driver (BYOVD) technique. The driver has been put to use in a large-scale malvertising campaign targeting U.S.-based individuals searching for tax-related documents, although this is said to have taken place after the ransomware incident.
Some of the other drivers used for this purpose are listed below –
What’s notable about the attack is the execution of Backdoor.Turn by injecting it into the legitimate “DbgView64.exe” process after the DragonForce ransomware has been deployed. This suggests an attempt to maintain continued access to the compromised host for later attacks or reselling it for profit.
Backdoor.Turn’s underlying TURN-based mechanism leans on a stealthy C2 communication technique called Ghost Calls that was documented by Praetorian in August 2024. The backdoor supports a wide range of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft.
“The backdoor requests a visitor token from the Microsoft Teams/Skype backend, uses that…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
