Fast Facts
- Attackers exploited legitimate Microsoft Teams infrastructure by utilizing a custom Go-based backdoor, Backdoor.Turn, which covertly communicates via Teams’ relay servers using a compromised visitor token and a legitimate TURN relay, enabling stealthy command-and-control (C2) operations.
- The campaign employed advanced tactics including a sophisticated Bring Your Own Vulnerable Driver (BYOVD) approach—exploiting unpublicized vulnerabilities like Huawei’s HWAuidoOs2Ec.sys and custom malicious drivers like Abyss Worker—to bypass security defenses and achieve kernel-level access.
- The threat group used multi-stage techniques such as phishing via malicious ZIP archives, DLL hijacking, and persistent system modifications, culminating in deploying DragonForce ransomware, while maintaining covert communication channels stealthily through legitimate infrastructure.
Threat, Techniques, and Targets
The threat involves attackers using a sophisticated method to remain hidden while deploying ransomware. They targeted a major U.S. services firm and stayed in the network for one to two months. The attackers used a custom Go-based backdoor called Backdoor.Turn. It was deployed after gaining access, likely through an exploitation of an SQL or MSSQL vulnerability, or possibly by buying access from an access broker. They downloaded malicious files, including a ZIP archive with tools for reconnaissance and persistence. The attackers used several defense evasion techniques, such as exploiting vulnerable drivers and DLL hijacking. They also used a Bring Your Own Vulnerable Driver (BYOVD) method, exploiting specific drivers like the Havoc Process Terminator and others. Their main goal was to deploy the DragonForce ransomware payload, which encrypts data and exfiltrates it. The attacks aimed at organizations with large networks and sensitive data.
Impact, Security Implications, and Remediation
This attack shows a high level of technical skill and careful planning. Because the malware uses legitimate Microsoft Teams relay infrastructure, network defenders only see normal traffic. This makes detection very difficult, as the malicious commands are hidden in trusted channels. The exploitation of unknown vulnerabilities like the Havoc Process Terminator driver reveals the attackers’ advanced capabilities. The deployment of Backdoor.Turn provides persistent access, which could be used for future intrusions or resale. The security impact includes data theft, data encryption, and disruption of services. Organizations should urgently review their defenses for vulnerabilities in drivers and software. They must also monitor network traffic for unusual connections to known malicious IPs and domains. If you need specific remediation guidance, consult the vendor or relevant cybersecurity authority for updated advice.
Continue Your Tech Journey
Explore the future of technology with our detailed insights on Artificial Intelligence.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
