A new attack technique, GIFShell, has surfaced that allows an attacker to abuse Microsoft Teams. The attackers can use this technique in phishing attacks and execute commands using GIFs.

How GIFShell works?

The new attack has been discovered by a security researcher who found various flaws in Microsoft Teams and chained them together for various attack scenarios, including data exfiltration, command execution, security bypasses, and phishing.
  • The main component is GIFShell which allows the creation of a reverse shell. 
  • This delivers malicious commands using Base64 encoded GIFs in Teams and steals output via GIFs from Microsoft's own servers.

Since the data exfiltration is performed by leveraging Microsoft's own servers, it is challenging to identify the traffic and differentiate it from the legitimate Team traffic.

Scanning via reverse shell

To create the reverse shell, the attacker has to convince a user to install a malicious stager that executes commands and uploads command output through a GIF URL to a Microsoft Teams webhook.
  • To begin, the attacker fools a targeted user into loading a malware executable stager on their systems that will regularly scan the Microsoft Teams logs at a specific location.
  • All messages received on Teams are stored in these logs and are readable by all Windows user groups, thus, accessible by malicious files or malware on the system.
  • Once the stager is placed, the attacker creates its own Teams tenant and contacts other Teams users outside of the organization, as external communication is allowed by default in Teams.

Malicious code execution

To initiate an attack, the attacker uses the GIFShell Python script to send a message to a Team user with a specially crafted GIF.
  • This GIF image is a legitimate image file, modified to include commands to run on the target system.
  • This message within the GIF gets stored in the Team’s log files and is scanned by the malicious stager monitor, which executes the commands on the device.
  • The GIFShell PoC takes the output of the executed commands and converts it toBase64 text. The stager leverages this text to create a GIF file and keeps that as a Microsoft Teams Survey Card.
  • The attacker creates a URL request for a GIF, which is the same name as the GIF file created by the stager.
  • Upon receiving this request, Microsoft attempts to retrieve the GIF file, and eventually delivers the GIF (created by stager) carrying the sensitive information.

Closing lines

The GIFShell attack has been successfully demonstrated by the researcher by displaying a possible scenario of exploitation. After being contacted by the researcher, Microsoft claims to have left a door open to resolving these issues and stated that these vulnerabilities may be fixed in future versions.
Cyware Publisher