Full Report
Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic. The attackers also used a previously unknown vulnerability in a Huawei driver.
Analysis Summary
# Tool/Technique: Backdoor.Turn & DragonForce TTPs
## Overview
Backdoor.Turn is a sophisticated Go-based Remote Access Trojan (RAT) utilized by the DragonForce ransomware group. It is notable for being the first documented malware to abuse Microsoft Teams' TURN (Traversal Using Relays around NAT) relay servers to tunnel command-and-control (C2) traffic, effectively masking malicious activity as legitimate Microsoft Teams network traffic.
## Technical Details
- **Type:** Malware family (Go-based RAT)
- **Platform:** Windows
- **Capabilities:** C2 tunneling via legitimate services, persistence, evasion, and remote access.
- **First Seen:** December 2025 (Activity documented into 2026)
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1543.003 - Create or Modify System Process: Windows Service]
- [T1136.001 - Create Account: Local Account]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1068 - Exploitation for Privilege Escalation] (BYOVD)
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (AV Killers)
- **[TA0011 - Command and Control]**
- [T1568.002 - Domain Generation Algorithm] (Used in side-loaded DLLs)
- [T1102.002 - Web Service: Bidirectional Communication] (Abuse of MS Teams TURN)
- [T101 shortcut - Non-Application Layer Protocol] (QUIC session via Relay)
## Functionality
### Core Capabilities
- **Traffic Masking:** Requests anonymous Teams visitor tokens from Skype identity services to utilize Microsoft TURN relays.
- **Protocol Tunneling:** Establishes a QUIC session nested within the Teams relay connection to communicate with the attacker's hardware C2.
- **Code Injection:** Injects into legitimate processes like `DbgView64.exe` to remain resident in memory.
### Advanced Features
- **BYOVD (Bring Your Own Vulnerable Driver):** Employs a "Havoc Process Terminator" using a Huawei driver (`HWAuidoOs2Ec.sys`) to kill security software at the kernel level.
- **Custom Drivers:** Uses "Abyss Worker," a custom malicious driver masquerading as a Palo Alto Networks driver to evade EDR/AV components.
- **Automated Evasion:** Side-loads malicious DLLs (`vboxrt.dll`) via legitimate VirtualBox binaries to download secondary payloads.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c` (Backdoor.Turn)
- `8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531` (Havoc Process Terminator)
- `8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2` (ABYSSWORKER driver)
- `e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22` (DragonForce Ransomware)
- **File Names:** `vboxrt.dll`, `HWAuidoOs2Ec.sys`, `wsftprm.sys`, `Gamedriverx64.sys`, `K7RKScan.sys`, `DbgView64.exe`.
- **Network Indicators:**
- `62.164.177[.]25` (Backdoor.Turn C2)
- `turnkeyaiagents[.]com` (Tooling C2)
- `projetosmecanicos.com[.]br` (Tooling C2)
- `socialbizsolutions[.]com` (Tooling C2)
- **Behavioral Indicators:** Outbound QUIC traffic to Microsoft IP ranges associated with Teams/Skye; modification of `LimitBlankPassword` registry settings; unauthorized creation of local user groups.
## Associated Threat Actors
- **DragonForce** (Ransomware Group)
## Detection Methods
- **Signature-based:** Deploying YARA or AV definitions for the specific Go-compiled Turn backdoor and the identified vulnerable drivers.
- **Behavioral:**
- Monitoring for legitimate processes (like VirtualBox or DbgView) making non-standard network connections.
- Alerting on the loading of known vulnerable drivers (BYOVD) not typically present in the environment.
- Inspecting QUIC traffic originating from non-browser applications toward Microsoft relay infrastructure.
## Mitigation Strategies
- **Driver Blocklisting:** Implement Microsoft’s recommended driver blocklist to prevent the loading of known vulnerable drivers used in BYOVD attacks.
- **Credential Hardening:** Enforce strong password policies and disable the use of blank passwords (reverting `LimitBlankPassword` changes).
- **Network Filtering:** Restrict access to Microsoft Teams infrastructure to known corporate-managed accounts, if possible, to mitigate anonymous token abuse.
- **Application Control:** Use AppLocker or similar tools to prevent the execution of unauthorized binaries and DLL side-loading in temporary directories.
## Related Tools/Techniques
- **Abyss Worker:** Custom driver used for defense evasion.
- **DLL Side-loading:** Standard tactic used to launch the initial stages of the attack via VirtualBox.
- **Topaz Antifraud / K7 Security Drivers:** Other third-party drivers exploited for kernel-level interference.