Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic
Custom malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration
Cybercrims deploying DragonForce ransomware appear to have gained access to a major US services company's network, then spent two months up to no good while disguising their command-and-control activities as legitimate Microsoft Teams traffic.
Researchers at security firm Symantec said the intrusion began with attackers gaining access to the victim's environment before deploying a custom Go-based backdoor, tracked as "Backdoor.Turn," to maintain communication with the compromised systems. Rather than reaching out to attacker-controlled infrastructure that might raise alarms, the backdoor hid its activity inside traffic associated with Microsoft's widely used collaboration platform.
To anyone monitoring network traffic, the compromised systems appeared to communicate only with legitimate Microsoft servers.
"The attackers in this campaign use exceptionally sophisticated cyber tradecraft," Symantec said. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to...
Copyright of this story solely belongs to theregister.com. To see the full text click HERE