DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Summary
Threat actors linked to the DragonForce ransomware are using a new Go-based RAT, Backdoor.Turn, to hide their command-and-control (C2) traffic within Microsoft Teams relay infrastructure. This technique was discovered after the backdoor was deployed against a significant U.S. services firm.
IFF Assessment
This article describes a new technique used by threat actors to conceal their malicious activity, making it harder for defenders to detect and respond to attacks.
Defender Context
Defenders should be aware of evolving tactics used by threat actors to obfuscate C2 communication, as hiding traffic within legitimate services like Microsoft Teams can bypass traditional network security controls. Monitoring for unusual patterns or unexpected data flows related to widely used collaboration platforms is crucial.