Malicious hackers can utilize Microsoft Teams to launch innovative phishing attacks and discreetly carry out commands to steal data via GIFs using a new attack method known as "GIFShell."
The new attack pattern demonstrates how hackers can merge various Microsoft Teams flaws and security holes to reap the benefits of reliable Microsoft infrastructure and distribute malicious files, and orders, and perform data exfiltration via GIFs.
This attack chain can be highly destructive, especially in network security environments where Microsoft Teams may be one of a limited set of authorized, trusted hosts and apps, as per Raunch. The GIFShell stager can be persuasively dropped and implemented on the victim's computer by exploiting two additional vulnerabilities found in Microsoft Teams, including a lack of permission enforcement and attachment spoofing.
Bobby Rauch, a cybersecurity expert, and pentester revealed multiple holes in Microsoft Teams that may be chained together for code execution, data theft, cybersecurity bypasses, and phishing attacks. This led Rauch to the discovery of the new attack chain.
This attack's primary tool is referred to as "GIFShell," and it enables an attacker to build a reverse shell that sends malicious commands via base64-encoded GIFs in Teams and exfiltrates the output using GIFs recovered by Microsoft's own servers.
GIFShell Attack
Since the data exfiltration takes place through Microsoft's own systems, security software that interprets the traffic as normal Microsoft Team activity will have a hard time identifying it.
The attacker must first persuade a user to install a malicious stager that runs commands and uploads command outputs via a GIF URL to a Microsoft Teams web hook to construct this reverse shell.
Rauch created a new phishing attack on Microsoft Teams to help with this. As we know, phishing assaults are effective at infecting devices.
The 'stager,' a malicious program that GIFShell uses to mislead users into launching on their devices, continuously scans the Microsoft Teams logs.
Any malware on the system can access these logs because they contain all received messages and are viewable by all Windows user groups.
Hackers would build their own Microsoft Teams tenant after installing the stager and get in touch with other Microsoft Teams users from outside their organization. Attackers can easily accomplish this since Microsoft Teams by default permits external communication.
Rauch's GIFShell Python script enables the hackers to transmit a message to a Microsoft Teams user that comprises a specially created GIF to start the attack. This GIF file was altered to add instructions to run on the target's computer.
The email and the GIF will be saved in Microsoft Team's logs when the victim receives them, which the malware stager watches.
The base64-encoded commands will be extracted by the stager and run on the device when it recognizes a message that contains a GIF. The output of the command will subsequently be converted to base64 text by the GIFShell PoC.
The hacker's open Microsoft Teams webhook is accessed by the stager using this base64 text as the filename for a remote GIF placed in a Microsoft Teams poll card.
To get the GIF, which would be named using the base64-encoded result of the executed command, Microsoft's servers will link back to the hacker's server URL when Microsoft Teams creates flashcards for the user.
This request will be received by the GIFShell server, which is installed on the hacker's server, and will instantly decode the filename so that the hackers can view the results of the command issued to the targeted device.
The Microsoft Teams files folder has also been discovered to be accessed by other software, including malware and commercial monitoring tools like Veriato.
In a report to BleepingComputer, Microsoft purely reaffirmed its claim to Rauch stating, "We evaluated the methods mentioned by this researcher and found that the two stated do not satisfy the requirements for an immediate security fix. To help maintain customer security, we're always exploring for new ways to better combat phishing, and we might do something in a future release to assist prevent this tactic."
Users should ensure ethical computing habits online, including vigilance when clicking on links to websites, opening unexpected files, or allowing file transfers. Users shall remain aware of this type of phishing.
