ClickCease New 'GIFShell' Attack Technique Exploits Microsoft Teams GIFs - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

New ‘GIFShell’ Attack Technique Exploits Microsoft Teams GIFs

Obanla Opeyemi

September 20, 2022 - TuxCare expert team

A new ‘GIFShell” attack technique exploits bugs and vulnerabilities in Microsoft Teams to abuse legitimate Microsoft infrastructure, execute malicious files, execute commands, and exfiltrate data.

According to Bobby Rauch, the cybersecurity consultant and pentester who discovered the hidden vulnerabilities, the “GIFShell” technique allows attackers to create a reverse shell that transmits malicious commands via base64 encoded GIFs in Teams. The outputs are then exfiltrated through GIFs retrieved by Microsoft’s own infrastructure.

To create the reverse shell, attackers need to convince a user to install a malicious stager that executes commands and uploads command output via a GIF URL to a Microsoft Teams web hook.

Microsoft Teams vulnerabilities exploited by the malware include Microsoft Teams security controls bypass which allows external users to send attachments to Microsoft Teams users.

The malware also modifies sent attachments to allow users to download files from an external URL instead of the generated SharePoint link. It forges attachments from Microsoft Teams to appear as harmless files, but instead downloads a malicious executable program or document. It uses insecure URLs to allow SMB NTLM hash theft or NTLM relay attacks.

Microsoft supports sending HTML-based 64-encoded GIFs, but does not scan the byte content of these GIFs. This allows malicious commands to be delivered within a normal-looking GIF. Since Microsoft stores Teams messages in a parsable file located locally on the victim’s machine, it can be accessed by a less privileged user.

Microsoft servers fetch GIFs from remote servers that allow data exfiltration via GIF file names.

The sources for this piece include an article in BleepingComputer.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

New Hook malware for Android...

ThreatFabric cybersecurity researchers have discovered a new type of Android...

January 31, 2023

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023