Almost every workplace chat has that one person who considers themselves a bit of a GIF lord. If you’re lucky, your workplace may actually have one. Someone who nails the perfect response GIF every time, brightening your day and the days of all others in the channel. More likely you have someone who replies to everything with weird unpleasant GIFs and considers it their life’s crusade to police the pronunciation of the format.
Well regardless of legendary status, it’s time to cast a wary glare over those GIF happy coworkers. Bleeping Computer (opens in new tab) tells of an exploit in Microsoft Teams that uses GIFs to potentially install malicious files, perform commands, and even extract data via these fun moving images. Yeah that random and completely out of place reaction GIF Blimothy posted last week doesn’t seem so innocuous now, does it.
Thankfully there are a few steps to the process. First of all the intended target needs to install a stager to execute the commands given via these naughty GIFs. Given phishing attacks are still successful in this, the year of our GIF lord 2022, (opens in new tab) it’s not that unlikely. Especially considering these likely come from a trusted in work source, it’s likely an innocent and easy mistake to make.
From here that stager will run continuous scans on the Microsoft Team logs file, looking for any evil GIFs. These GIFs will have been given a reverse shell by the attackers. This will contain base64 encoded commands which are stored in Team’s GIFs, that then perform malicious actions on the target machine. You can find out more about how these GIFShell attacks work via the discover, Bobby Rauch’s, Medium page. (opens in new tab)
Once the GIF is received, it’s stored in the chat log which is then scanned by the stager. Seeing the crafted GIF it will then extract that base64 code and execute and extract the text. This text will point back to a remote GIF which is embedded in Teams Survey cards. Due to how these works, it then will connect back to the attacker to retrieve the GIF, allowing the attackers to decode the file and gain access to further attacks.
Essentially this takes a bunch of different available exploits in Teams to work, so hopefully a fix should be coming from Microsoft soon. A change to where Teamlogs are stored or how the program retrieves GIFs would likely be enough to throw a spanner in the works of any evildoers. For now, at least you have an actual reason to tell someone off for using weird GIFs.
