Hackers Exploit Microsoft Teams and Zoom in New ‘Ghost Calls’ Tactic

The ‘Ghost Calls’ post-exploitation command-and-control (C2) evasion technique exploits TURN servers, which are utilised by conferencing applications like as Zoom and Microsoft Teams, to tunnel communications over reliable infrastructure.

Ghost Calls circumvents the majority of current defences and anti-abuse mechanisms without the use of an attack by using WebRTC, genuine credentials, and proprietary tooling.

Adam Crosser, a security researcher at Praetorian, demonstrated this novel strategy at BlackHat USA, emphasising that Red Teams can employ it for penetration emulation exercises.

“We leverage web conferencing protocols, which are designed for real-time, low-latency communication and operate through globally distributed media servers that function as natural traffic relays,” according to the briefing for the presentation. 

“This approach allows operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting.”

How the Ghost Calls Operate is through a Video call, VoIP, and WebRTC services in which it frequently use TURN (Traversal Using Relays across NAT), a networking protocol that facilitates communication between devices behind NAT firewalls in situations where a direct connection is not feasible.

The Ghost Calls can use the temporary TURN credentials that a Zoom or Teams client obtains when they attend a meeting to establish a TURN-based WebRTC tunnel between the victim and the attacker.

Through trusted infrastructure that Zoom or Teams utilise, this tunnel can then be used to proxy arbitrary data or mask C2 traffic as normal video conference traffic. 

Malicious traffic can get past firewalls, proxies, and TLS inspection because it is routed through authentic domains and IPs that are frequently used in the company. WebRTC traffic is also nicely disguised because it is encrypted.

By misusing these technologies, attackers can benefit from high performance, dependable connectivity, and the flexibility of using both TCP and UDP across port 443 while avoiding exposing their own domains and infrastructure.

Traditional C2 techniques, on the other hand, are noticeable, slow, and frequently do not have the real-time exchange capabilities needed to support VNC activities.

Turning it around the result of Crosser’s research was a unique open-source tool called ‘TURNt’ that can be used to tunnel C2 traffic over WebRTC TURN servers like Zoom and Teams provide. It is available on GitHub.

The two parts of TURNt are a relay installed on a compromised host and a controller operating on the attacker’s end.

In order to accept connections tunnelled using TURN, the Controller operates a SOCKS proxy server. Relay establishes a WebRTC data channel via the provider’s TURN server and reconnects to the Controller using TURN credentials.

TURNt is capable of data exfiltration, local or remote port forwarding, SOCKS proxying, and enabling covert VNC (Virtual Network Computing) traffic tunnelling.

BleepingComputer has contacted both Zoom and Microsoft Teams to enquire about their plans to implement extra security measures to lessen the viability of Ghost Calls, despite the fact that it does not take advantage of any flaws in either program. Once we hear back from either, we’ll update this post.