DragonForce used a custom Go-based backdoor called Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams TURN relay infrastructure, making its communications look like trusted Microsoft traffic. Researchers say the campaign used sophisticated tradecraft, including BYOVD techniques and multiple malicious drivers, before exfiltrating data and deploying DragonForce ransomware. #DragonForce #BackdoorTurn #MicrosoftTeams #ScatteredSpider
Keypoints
- Backdoor.Turn hid C2 traffic through Microsoft Teams TURN relays.
- The malware used a legitimate Teams visitor token to connect to the attackerβs server.
- DragonForce is linked to Scattered Spider and has operated since at least 2023.
- The attackers used BYOVD with multiple vulnerable drivers to gain kernel-level access.
- After reconnaissance and data theft, they deployed DragonForce ransomware and encrypted systems.