Full Report
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was
Analysis Summary
# Threat Actor: DragonForce (and Associated Groups)
## Attribution & Identity
* **Actor Name:** DragonForce (also referenced as DragonForce Ransomware).
* **Identity:** A ransomware-as-a-service (RaaS) operation that emerged in late 2023.
* **Aliases/Associations:** While distinct, the group has shown overlaps in tooling and negotiation styles with older variants like LockBit 3.0 (Leaked builder) and shared infrastructure or tactics often seen in the "Storm" or "UNC" designation clusters within the broader cybercrime ecosystem.
## Activity Summary
DragonForce has been observed conducting highly targeted ransomware operations. Recent investigations by Symantec and Carbon Black reveal a shift toward sophisticated persistence mechanisms. The most significant recent activity involves the deployment of a custom Go-based backdoor, dubbed **Backdoor.Turn**, against a major U.S. services firm. The operation is characterized by its ability to bypass traditional perimeter defenses by piggybacking on trusted cloud infrastructure.
## Tactics, Techniques & Procedures
* **C2 Camouflage:** Leveraging Microsoft Teams relay infrastructure to tunnel and conceal Command-and-Control (C2) traffic.
* **Persistence:** Deployment of custom remote access trojans (RATs) written in Go (Golang) for cross-platform compatibility and evasion.
* **Data Exfiltration:** Typical ransomware "double extortion" tactics involving the theft of sensitive data prior to encryption.
* **Living off the Land (LotL):** Utilization of legitimate administrative tools to move laterally within the network.
* **Evasion:** Using encrypted communication channels within legitimate business applications (Teams) to avoid detection by Network Detection and Response (NDR) tools.
## Targeting
* **Sectors:** Professional Services, Manufacturing, Healthcare, and Critical Infrastructure.
* **Geography:** Primarily North America (United States), with secondary targets in Europe and Asia.
* **Victims:** A "major U.S. services firm" (Specific name redacted in source text) and various small-to-medium enterprises listed on their leak site.
## Tools & Infrastructure
* **Malware:**
* **Backdoor.Turn:** A custom Go-based RAT used for initial access and persistent C2.
* **DragonForce Ransomware:** The primary encryption payload.
* **Infrastructure:**
* **Microsoft Teams Relay:** Used as a proxy/tunnel for C2 communications.
* **C2 Domains:** [h]xxps://teams.microsoft[.]com (Abused via relay tactics).
* **Data Leak Site:** A dedicated Onion-based portal for publishing victim data.
## Implications
The use of **Backdoor.Turn** marks a significant evolution in ransomware TTPs. By routing traffic through Microsoft Teams infrastructure, DragonForce effectively neutralizes many IP-based reputation filters and domain blocking strategies. This "Bring Your Own Infrastructure" (or abusing legitimate SaaS) approach increases the difficulty of attribution and real-time detection, as the traffic appears as legitimate enterprise collaboration data.
## Mitigations
* **SaaS Monitoring:** Implement strict monitoring of Microsoft Teams logs for unusual relay or TURN (Traversal Using Relays around NAT) patterns that do not correlate with known user activity.
* **Endpoint Detection (EDR):** Deploy EDR solutions configured to alert on Go-based binaries initiating network connections from unexpected directories (e.g., AppData, Temp).
* **Network Segmentation:** Restrict the ability of internal workstations to communicate with external relay services unless explicitly required for business functions.
* **Threat Hunting:** Regularly hunt for unusual parent-child process relationships involving `Teams.exe` or suspicious PowerShell execution used to deploy the backdoor.