GIFShell – New Attack Method That Allows Attackers to Steal Data Using Microsoft Teams GIFs

A cybersecurity consultant and pentester, Bobby Rauch recently discovered that threat actors are abusing Microsoft Teams by executing phishing attacks using a new attack technique known as GIFshell. Using GIFs to execute covert commands for the purpose of stealing data.

With the use of this new method, attackers can create complex attacks that exploit a variety of weaknesses in Microsoft Teams. The threat actors do so to abuse the legit Microsoft infrastructure to deliver and perform:-

  • Malicious files
  • Illicit commands
  • Exfiltrate data via GIFs 

The data is being exfiltrated through servers that are controlled by Microsoft itself. While the primary reason for this is to make sure that security software is less likely to be able to detect this traffic.

GIFShell

Due to security concerns, no external users are permitted to share any files with users in another occupant by default. The purpose of this feature is to prevent external users from sending malicious attachments via Microsoft Teams to a user in another organization.

EHA

While there will be no paperclip option available to upload an attachment when one user in one org will try to send any file to another user who is present in another org.

This attack is based on a component called GIFShell, which is one of the most important parts. As a result, a reverse shell can be created by an attacker to deliver malicious commands inside Teams by using base64 encoded GIF files.

In order to make GIFShell work, a malicious executable known as the “stager” is tricked into taking over a user’s device by tricking them into loading it. The Microsoft Teams logs located at the following locations will be continuously scanned by this executable:-

$HOME\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log.

Following the installation of the stager, a threat actor would create a Microsoft Teams tenant in order to launch the attack. After that, they contact the users outside their organization who are using Microsoft Teams. 

Microsoft Teams by default allows external communication, so attackers can easily take advantage of that feature to gain access to your team.

The stager can extract the base64 encoded commands from a message with a GIF and execute them on a device when it detects such a message. After that, the output of the executed command will then be converted to base64 text by the GIFShell PoC.

A consequence of this attack is that legitimate Microsoft Teams network traffic is mixed with the output of the GIFShell attack which allows it to covertly exfiltrate data.

In response to the research, Microsoft conceded the research but urged that no security boundaries had been breached, so it would not be fixed.

Prerequisites to recite the attack

Here below we have mentioned all the prerequisites to recite the attack:-

  • On the attacker’s system, the GIFShell Python script should be executed.
  • On the victim’s system, it’s necessary to execute the GIFShell Powershell stager.
  • Required two Microsoft Azure Organizations or Tenants. 
  • At least two users should be present in the organization or tenant of the attacker, and at least one user should be present in the organization of the victim. The purpose of this exercise is to test the work edition of Microsoft Teams.
  • Required two Microsoft Teams users for personal use. Here, Microsoft Teams Home Edition is used for testing purposes only.
  • An available webhook on a Teams channel can be accessed by anyone.
  • You can choose any GIF you like.
  • This IP address is open to the public and can be operated as a listener for incoming requests from the web.

Mitigations

Here below we have mentioned all the recommended mitigations:-

  • Training should be provided to users on the importance of not clicking on attachments from unknown sources.
  • Microsoft Defender for Office 365 provides a Safe Attachments policy which may help prevent Drive-By download attacks on Office 365.
  • NTLM should be disabled entirely or SMB signing should be enabled.
  • In order to avoid NTLM attacks, you should ensure that you have in place a complex password policy.

Download Free SWG – Secure Web Filtering – E-book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.