DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Key Points:

• Threat actors linked to DragonForce ransomware have used a custom Go-based RAT called Backdoor.Turn to hide command-and-control traffic within Microsoft Teams relay infrastructure, evading detection by appearing as legitimate Teams server connections.
• The backdoor exploits Microsoft’s TURN relay infrastructure by obtaining anonymous Teams visitor tokens and establishing QUIC sessions to attacker C2 servers, marking the first known abuse of this method by threat actors.
• Initial access was likely gained through an SQL or MS-SQL server vulnerability or via an initial access broker, with attackers maintaining presence on the victim’s network for one to two months, using advanced techniques like DLL side-loading and vulnerable driver exploitation (BYOVD).
• Backdoor.Turn supports extensive capabilities including command execution, network scanning, lateral movement, and credential theft, and is injected into legitimate processes post-ransomware deployment to ensure persistent access.
• The DragonForce group has evolved from a ransomware-as-a-service model to a formalized cartel employing sophisticated cyber tradecraft, highlighting their increasing capability and persistence in high-impact targeted attacks.