Full Report
Custom malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration
Analysis Summary
# Tool/Technique: Backdoor.Turn
## Overview
**Backdoor.Turn** is a custom, Go-based malware used by attackers associated with the DragonForce ransomware operation. Its primary purpose is to establish a persistent command-and-control (C2) channel that leverages legitimate Microsoft Teams infrastructure (specifically TURN relay servers) to blend in with routine corporate collaboration traffic and bypass network security controls.
## Technical Details
- **Type:** Malware (Backdoor / Trojan)
- **Platform:** Windows (implied by target environments and Go compilation targets)
- **Capabilities:** Stealthy C2 communication, persistence, data exfiltration, and remote access.
- **First Seen:** June 2026 (publicly identified)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- **T1071.001 - Application Layer Protocol: Web Protocols** (HTTPS traffic to Microsoft domains)
- **T1102 - Web Service** (Leveraging legitimate external Web services)
- **T1568.002 - Dynamic Resolution: Domain Generation Algorithms** (Implicit in connecting to dynamically assigned relay servers)
- **TA0005 - Defense Evasion**
- **T1036 - Masquerading** (Traffic appears as legitimate Microsoft Teams activity)
- **T1573.002 - Encrypted Channel: Asymmetric Cryptography** (Use of QUIC protocol)
## Functionality
### Core Capabilities
- **C2 Camouflage:** Routes malicious communications through legitimate Microsoft Teams and Skype backend services.
- **Protocol Encapsulation:** Uses the QUIC (Quick UDP Internet Connections) protocol to establish a direct connection to a malicious C2 server after brokering the initial handshake through Microsoft.
- **Persistence:** Deployed post-ransomware infection to provide long-term access to the victim's environment.
### Advanced Features
- **TURN Relay Abuse:** Specifically utilizes Microsoft-operated TURN (Traversal Using Relays around NAT) servers—infrastructure designed for real-time video/audio collaboration—to relay traffic to attacker infrastructure.
- **Anonymous Token Retrieval:** Requests an anonymous visitor token from Microsoft Teams and Skype services to authenticate with the relay server without requiring valid corporate credentials.
## Indicators of Compromise
- **File Hashes:** *(Currently not provided in the source article—refer to Symantec's detailed report for specific SHA256 hashes)*.
- **File Names:** `Backdoor.Turn`
- **Registry Keys:** N/A (Source article focuses on network behavior).
- **Network Indicators:**
- Traffic to `teams.microsoft[.]com`
- Traffic to `skype[.]com` backend services
- Outbound connections to legitimate Microsoft TURN relay IP ranges.
- Unusual QUIC protocol (UDP 443) traffic patterns originating from non-collaboration processes.
- **Behavioral Indicators:**
- Go-compiled binaries making unauthorized network requests to Microsoft API endpoints.
- Execution following a DragonForce ransomware deployment.
## Associated Threat Actors
- **DragonForce:** A Ransomware-as-a-Service (RaaS) group.
- **Scattered Spider (UNC3944 / Starfraud):** A prolific threat group linked to DragonForce operations and sophisticated social engineering/tradecraft.
## Detection Methods
- **Signature-based detection:** Antivirus/EDR signatures for Go-based malware and specific "Backdoor.Turn" string patterns.
- **Behavioral detection:** Monitoring for processes other than `Teams.exe` or official browsers attempting to request TURN relay tokens from Microsoft.
- **Network Analysis:** Identifying long-duration QUIC connections to Microsoft IPs that exhibit traffic spikes inconsistent with typical voice/video calls.
## Mitigation Strategies
- **Prevention measures:** Restrict outbound UDP 443 (QUIC) traffic to strictly authorized applications or use a proxy that inspects QUIC traffic.
- **Hardening recommendations:** Implement strict EDR policies to prevent unauthorized Go binaries from executing or accessing the network.
- **Zero Trust:** Monitor for "Living off trusted services" techniques where legitimate SaaS domains are used for non-standard purposes.
## Related Tools/Techniques
- **Living off Trusted Services (LoTS):** Broad technique of using tools like Google Drive, Dropbox, or Slack for C2.
- **DragonForce Ransomware:** The primary payload often associated with this backdoor.
- **Sliver / Cobalt Strike:** Frameworks often used in conjunction with custom backdoors for post-exploitation.