GIFShell, a New Tool to Abuse Microsoft Teams GIFs

How GIFShell works?

• The main component is GIFShell which allows the creation of a reverse shell. 
• This delivers malicious commands using Base64 encoded GIFs in Teams and steals output via GIFs from Microsoft's own servers.

Scanning via reverse shell

• To begin, the attacker fools a targeted user into loading a malware executable stager on their systems that will regularly scan the Microsoft Teams logs at a specific location.
• All messages received on Teams are stored in these logs and are readable by all Windows user groups, thus, accessible by malicious files or malware on the system.
• Once the stager is placed, the attacker creates its own Teams tenant and contacts other Teams users outside of the organization, as external communication is allowed by default in Teams.

Malicious code execution

• This GIF image is a legitimate image file, modified to include commands to run on the target system.
• This message within the GIF gets stored in the Team’s log files and is scanned by the malicious stager monitor, which executes the commands on the device.
• The GIFShell PoC takes the output of the executed commands and converts it toBase64 text. The stager leverages this text to create a GIF file and keeps that as a Microsoft Teams Survey Card.
• The attacker creates a URL request for a GIF, which is the same name as the GIF file created by the stager.
• Upon receiving this request, Microsoft attempts to retrieve the GIF file, and eventually delivers the GIF (created by stager) carrying the sensitive information.

Closing lines