Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.

The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).

DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.

According to researchers at the cybersecurity company Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company.

Backdoor.Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server.