DragonForce ransomware group abuses Microsoft Teams relays to conceal command-and-control traffic

Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was

DragonForce is the first ransomware operator to use this technique that was discovered last year.

The attackers deployed a new Go-based backdoor that uses Microsoft Teams servers for command-and-control. The post Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack appeared first on SecurityWeek.

The DragonForce ransomware group used a custom malware called Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams relay infrastructure during an intrusion at a U.S. services company, according to Symantec. DragonForce is a ransomware-as-a-service operation that has been active since 2023. The group provides affiliates with ransomware tools and supporting services in exchange for a share of ransom payments. First known abuse of Microsoft Teams TURN infrastructure “Backdoor.Turn obtains an anonymous Teams visitor token from … More → The post Cybercriminals mask malicious communications through Microsoft Teams relays appeared first on Help Net Security.

Command and control traffic exploited a Teams visitor token to make malicious activity look legitimate to defenders

DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure. [...]