Full Report
A new post-exploitation command-and-control (C2) evasion method called 'Ghost Calls' abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. [...]
Analysis Summary
# Tool/Technique: Ghost Calls Tactic (C2 via Zoom/Teams WebRTC)
## Overview
The "Ghost Calls" tactic is a technique that leverages existing, legitimate video conferencing platforms like Zoom and Microsoft Teams for Command and Control (C2) operations. This is achieved by disguising C2 traffic as normal communications within these services, specifically utilizing features like WebRTC (Web Real-Time Communication) established through the providers' TURN (Traversal Using Relays around NAT) servers. This technique allows attackers to bypass traditional network security controls, such as firewalls, proxies, and TLS inspection, because the traffic flows over trusted infrastructure using legitimate vendor domains.
## Technical Details
- Type: Technique/Framework (Abuse of Legitimate Software)
- Platform: Windows/Enterprise environments utilizing Zoom or Microsoft Teams.
- Capabilities: Encrypted C2 channel establishment, high-performance connectivity, evasion of network security tools, support for UDP/TCP over port 443.
- First Seen: Context suggests this is a newly identified tactic arising from related research (Crosser's research culminating in 'TURNt').
## MITRE ATT&CK Mapping
Since this is a C2 evasion technique, the closest general mappings involve Command and Control and Evasion:
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- **T1071.001 - Web Protocols** (Leveraging WebRTC/HTTPS infrastructure)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (WebRTC cryptography hides content)
- **T1090 - Proxy** (Leveraging TURN servers as relays)
- **T1573 - Encrypted Channel** (WebRTC traffic is encrypted)
## Functionality
### Core Capabilities
- **C2 Traffic Camouflage:** Malicious traffic is wrapped within legitimate WebRTC data channels established through Zoom or Microsoft Teams infrastructure.
- **Network Evasion:** Bypasses firewalls, proxies, and TLS inspection because traffic originates from and routes through trusted, high-reputation provider domains (Zoom/Teams).
- **Reliable Connectivity:** Utilizes the existing high-performance, reliable connectivity provided by the conferencing services, supporting both UDP and TCP on port 443.
### Advanced Features
- **VNC Tunneling:** Facilitates the tunneling of hidden Virtual Network Computing (VNC) traffic over the stealthy C2 channel.
- **Local/Remote Port Forwarding:** Supports creating tunnels for various purposes necessary for post-exploitation activities.
- **Data Exfiltration:** Can be used to secretly move data off the compromised host.
## Indicators of Compromise
(Note: Since this abuses legitimate services, file/network indicators are dependent on the specific tool used to implement the abuse, such as 'TURNt'.)
- File Hashes: N/A (Focus is on network behavior)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Legitimate WebRTC signaling and TURN server interactions associated with Zoom or Microsoft Teams traffic patterns, but carrying anomalous payloads or communicating in an unusual sequence relative to standard conferencing sessions.
- Behavioral Indicators: Establishment of persistent, non-interactive WebRTC data channels used for tunneling unrelated protocols (like SOCKS).
## Associated Threat Actors
- No specific threat actors are named in the provided context, but the associated utility 'TURNt' was developed by Praetorian researchers.
## Detection Methods
- Signature-based detection: Unlikely to work against the legitimate traffic flow itself.
- Behavioral detection: Monitoring for established WebRTC data channels that persist outside of active, user-initiated media or signaling sessions. Anomalous traffic volume or protocol mixing within established WebRTC connections.
- YARA rules: Not provided.
## Mitigation Strategies
- Prevention measures: Vendor-specific controls, if available, to limit non-standard WebRTC usage or data channel establishment outside of genuine meetings.
- Hardening recommendations: Implement strict egress filtering that specifically looks for C2-like behavior even over allowed ports (443). Deep packet inspection focused on identifying embedded non-WebRTC protocols (like SOCKS) within the WebRTC encapsulation. Reviewing Zoom/Teams configuration settings for data channel limitations.
## Related Tools/Techniques
- **TURNt Utility:** A custom, open-source tool developed by Praetorian that implements the technique, consisting of a Controller (attacker side) and a Relay (compromised host side) to tunnel C2 traffic via WebRTC TURN servers.
- **Other legitimate application layer tunneling:** Techniques abusing other trusted C2 channels (e.g., DNS, SMTP, legitimate cloud services).