September 9, 2022 at 5:27 PM
September 8, 2022
TL;DR
GIFShell allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs.
GIFShell works by tricking a user into loading a malware executable called the "stager" on their device that will continuously scan the Microsoft Teams logs.
The attack technique utilizes a variety of Microsoft Teams flaws and vulnerabilities:
- Spoof Microsoft teams attachments to appear as harmless files.
- Insecure URI schemes to allow SMB NTLM hash theft or NTLM Relay attacks.
- Microsoft supports sending HTML base64 encoded GIFs, but does not scan the byte content of those GIFs.
- Microsoft servers retrieve GIFs from remote servers, allowing data exfiltration via GIF filenames.
For example, a retrieved GIF file named 'dGhlIHVzZXIgaXM6IA0KYm9iYnlyYXVjaDYyNzRcYm9iYnlyYXVJa0K.gif' would decode to the output from the 'whoami' command executed on the infected device.
https://github.com/bobbyrsec/Microsoft-Teams-GIFShell
Full link
https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/
TL;DR
GIFShell allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs.
GIFShell works by tricking a user into loading a malware executable called the "stager" on their device that will continuously scan the Microsoft Teams logs.
The attack technique utilizes a variety of Microsoft Teams flaws and vulnerabilities:
- Spoof Microsoft teams attachments to appear as harmless files.
- Insecure URI schemes to allow SMB NTLM hash theft or NTLM Relay attacks.
- Microsoft supports sending HTML base64 encoded GIFs, but does not scan the byte content of those GIFs.
- Microsoft servers retrieve GIFs from remote servers, allowing data exfiltration via GIF filenames.
For example, a retrieved GIF file named 'dGhlIHVzZXIgaXM6IA0KYm9iYnlyYXVjaDYyNzRcYm9iYnlyYXVJa0K.gif' would decode to the output from the 'whoami' command executed on the infected device.
https://github.com/bobbyrsec/Microsoft-Teams-GIFShell
Full link
https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/
