DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity

Cybercriminals linked to the DragonForce ransomware group recently compromised a US services firm and concealed their malicious traffic by abusing Microsoft Teams’ relay infrastructure.

According to research from Broadcom’s Symantec and Carbon Black threat hunter teams, the attackers used a newly identified, custom-built backdoor to keep their activity hidden inside trusted business traffic.

The malicious backdoor

The custom tool used in the attack has been identified as Backdoor.Turn, a Go-based backdoor designed to hide command-and-control traffic inside trusted Microsoft Teams relay connections.

According to Symantec and Carbon Black researchers, Backdoor.Turn first obtains an anonymous Microsoft Teams visitor token, then uses Microsoft’s TURN relay infrastructure to route traffic through legitimate Microsoft servers before connecting to the attackers’ command-and-control server.

That makes the activity difficult to spot. To network administrators, the traffic may appear to be ordinary Microsoft Teamscommunication rather than a connection to attacker-controlled infrastructure. The researchers said this “appears...

Copyright of this story solely belongs to hackread.com. To see the full text click HERE