Ransomware, Malware

Attackers drop DragonForce ransomware leveraging MS Teams relay systems

Microsoft teams app logo on a computer screen through magnifying glass

(Adobe Stock)

Attackers were observed deploying DragonForce ransomware against a major U.S. services firm, hiding command-and-control (C2) traffic inside Microsoft Teams’ own relay infrastructure using a new custom Go-based backdoor called Backdoor.Turn.

In a June 16 blog post, researchers at Symantec and Carbon Black explained that the attackers could abuse trust in MS Teams so effectively that the only traffic network defenders could see was outbound connections to legitimate Microsoft Teams servers.

The researchers said that attackers were on the victim network for between one and two months.

Robert Coles, senior manager of threat intelligence security at Black Duck, said the case represents a clear example of how ransomware tradecraft has continued to evolve.

“Frankly, it’s more about the abuse of trusted infrastructure than just a new piece of malware,” said Coles.

Coles said what’s interesting here is the use of Microsoft Teams’ TURN relay capability — Traversal Using Relays around NAT — was designed to help systems communicate when direct connectivity isn’t possible. It essentially acts as a trusted intermediary, relaying traffic through Microsoft infrastructure so sessions still work reliably.

“In this case, the attackers are leveraging that exact capability to mask command-and-control traffic,” said Coles. “By routing communications through legitimate Microsoft relay servers, everything looks like normal Teams activity from a network perspective. That makes it extremely difficult to detect using traditional controls like IP, domain, or reputation-based filtering.”

Kieran Human, lead cybersecurity engineer at ThreatLocker, added that DragonForce has abused the trusted Micrsoft Teams relay infrastructure to hide communications between its malware and attacker-controlled systems, making malicious traffic look more like legitimate Teams activity.

“The bigger danger is that attackers have now demonstrated they can hide their backdoor communications behind a service that organizations use and trust every day,” said Human. “It's another reminder that trust shouldn't be based just on the platform carrying the traffic. Behavior must be verified because attackers are finding novel ways to abuse legitimate services.

Human said ThreatLocker has been monitoring DragonForce for some time. The group operates under a ransomware-as-a-service (RaaS) model, delivering ransomware tools and infrastructure to affiliates who carry out attacks and share stolen funds. Human added that DragonForce is known for its aggressive recruitment and public-facing approach, making them one of the important players in the cybercrime economy.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds