A new post-exploitation command-and-control (C2) evasion method called 'Ghost Calls' abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure.
Ghost Calls uses legitimate credentials, WebRTC, and custom tooling to bypass most existing defenses and anti-abuse measures, without relying on an exploit.
This new tactic was presented by Praetorian's security researcher Adam Crosser at BlackHat USA, where it was highlighted that the new technique can be used by Red Teams when performing penetration emulation exercises.
"We leverage web conferencing protocols, which are designed for real-time, low-latency communication and operate through globally distributed media servers that function as natural traffic relays," reads the presentation's briefing.
"This approach allows operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting."
How Ghost Calls works
TURN (Traversal Using Relays around NAT) is a networking protocol commonly used by video call, VoIP, and WebRTC services that helps devices behind NAT firewalls communicate with each other when a direct connection is not possible.
When a Zoom or Teams client joins a meeting, it receives temporary TURN credentials that the Ghost Calls can hijack to set up a TURN-based WebRTC tunnel between the attacker and the victim.
This tunnel can then be used to proxy arbitrary data or disguise C2 traffic as regular video conferencing traffic through trusted infrastructure used by Zoom or Teams.
As the traffic is routed through legitimate domains and IPs that are widely used in the enterprise, malicious traffic can bypass firewalls, proxies, and TLS inspection. Additionally, WebRTC traffic is encrypted, so it's well hidden.
... continue reading