2026-06-17 · view entry permalink →
DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)
Background. DragonForce is a ransomware-as-a-service operation that has been documented since 2023 and rebranded itself in 2024–2025 as a "cartel"-style affiliate model; it has been tied to attacks on retail and enterprise targets across multiple regions and has previously leaned on affiliate-supplied access and living-off-the-land tooling. This deep dive is not about the ransomware payload but about an intrusion Symantec disclosed on 2026-06-16 that introduces a genuinely novel command-and-control technique and an unusually deep bring-your-own-vulnerable-driver (BYOVD) chain (Symantec / Broadcom, 2026-06-16).
The intrusion. Symantec investigated a DragonForce intrusion at an unnamed major U.S. services company that began in December 2025 — roughly two months of undetected dwell before discovery (BleepingComputer, 2026-06-16). Initial access was via an internet-facing MSSQL server (or purchased access) — a reminder that exposed database services remain a high-value entry point (T1190 Exploit Public-Facing Application). The actor then dropped a ZIP containing a legitimate, signed DbgView64.exe (or VirtualBox binary) alongside a malicious vboxrt.dll, executed via DLL side-loading (T1574.002). Persistence was established through a LimitBlankPasswordUse registry modification, creation of rogue local users/groups (T1136.001), and firewall-rule changes.
Backdoor.Turn and the Teams TURN-relay C2 (the novel part). Backdoor.Turn is a Go-based RAT injected into DbgView64.exe. It obtains an anonymous Microsoft Teams visitor token from Skype identity services, then establishes a TURN (Traversal Using Relays around NAT) relay session through Microsoft's own infrastructure and runs a QUIC tunnel to the actual attacker C2. Symantec assesses this is the first known malware to abuse Teams' TURN relay servers for C2 (Symantec / Broadcom, 2026-06-16). The defensive consequence is severe: a defender inspecting network flows sees only outbound connections to legitimate Microsoft IP ranges — the technique is a high-trust proxy/relay abuse (T1090 Proxy) that blends with the Teams traffic any Microsoft 365 tenant already generates.
The four-driver BYOVD chain. To disable defences, the actor loaded four signed-but-vulnerable kernel drivers (T1068 Exploitation for Privilege Escalation used to reach kernel for T1562.001 Impair Defenses): Huawei HWAuidoOs2Ec.sys (novel, no prior CVE), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). A custom malicious driver, ABYSSWORKER, masqueraded as a Palo Alto Networks driver to handle defence evasion. Follow-on activity included network scanning (T1046), AD/LDAP enumeration (T1018), TLS-certificate harvesting, browser credential theft (T1555.003), and credential-based lateral movement (T1021).
Detection concepts (no IOCs). (1) Hunt for DbgView64.exe or VirtualBox binaries initiating QUIC (UDP/443) sessions to Microsoft TURN-relay ranges with anomalous parent-child trees (vboxrt.dll → DbgView64.exe) — Sysmon EID 3 network-connection events filtered against expected Teams behaviour. (2) Alert on signed drivers from Huawei, Topaz, Tower of Fantasy or K7 Security loading on systems that are not gaming/AV hosts (Sysmon EID 6 driver-load). (3) Registry-value sets on HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (Sysmon EID 13). (4) Rogue local user/group creation (Windows Security EID 4720 / 4732) (Help Net Security, 2026-06-16).
Hardening. Enforce kernel-driver allow-listing via WDAC/HVCI and keep the Microsoft vulnerable-driver blocklist current (it covers the LOLDrivers entries this chain abuses); constrain egress so UDP/443 (QUIC) to Microsoft service tags is the only permitted path and is itself monitored; and audit any internet-reachable MSSQL/SQL Server instances out of existence. Because Backdoor.Turn rides genuine Microsoft relay infrastructure, IP/domain blocking is ineffective — the leverage is process-lineage and driver-load telemetry, not network reputation.