SYMANTEC has identified a new backdoor malware, Backdoor.Turn, used by the DragonForce ransomware group against a U.S. services firm. This malware, notable for its use of Microsoft Teams' TURN relay to obfuscate its command-and-control (C2) communications, allows attackers to maintain hidden access for one to two months. The intrusion likely began with an SQL exploit or compromised broker access, followed by the use of a legitimate application to side-load a malicious DLL.
Attackers altered network security measures, exploited multiple vulnerabilities, and employed sophisticated evasion techniques. Detection is challenging due to the malware's ability to blend with normal Teams traffic, emphasizing the need for proactive measures to identify atypical behavior in Microsoft Teams sessions.