Blog

Most organizations focus on warning their employees to watch for and refrain from downloading malicious malware spread by emails. However, cybercriminals use many other methods to enter organizational networks. This can be done through legitimate communications applications, such as Teams, WhatsApp, Messenger and Zoom, used by millions of workers worldwide on a daily basis.

The latest example of this danger was illustrated by the revelation of a new attack technique called ‘GIFShell’, which enables threat actors to abuse Microsoft Teams for novel phishing attacks and to covertly execute commands to steal data.

In such an attack, the attacker fools the user into downloading a malware executable, known as a “stager”. The stager uses Microsoft Teams as a command-and-control channel, passing hidden commands inside a GIF file.

The researcher who discovered this attack technique found that when someone sends a file to another user in the same tenant, Microsoft generates a SharePoint link that is embedded in a JSON POST request to the Teams endpoint. This JSON file can be modified to hide a malicious Stager executable. From the user’s perspective, he is downloading a JPEG, but actually it is a malicious executable. This is one example; there are other possible attack vectors that can be used for downloading the stager.

The stager’s purpose is to collect information from Teams logs, which contain all chat information. All received messages are saved to these logs and are readable by all Windows user groups, meaning any malware on the device can access them and use them as a command-and-control channel using Teams legitimate infrastructure.

Once the stager is in place, the attacker moves to the next stage, creates his own Microsoft Teams tenant, and contacts other Microsoft Teams users outside the organization. Attackers can easily achieve this as Microsoft by default allows external communication in Microsoft Teams.

To initiate the attack, the attacker will call a python script, which will send a message to Teams user, containing a modified GIF containing a command to execute on the victim’s machine.

The GIF stores the command-and-control commands, which are monitored by the stager. Upon detection of a message with a GIF, it extracts base 64-encoded commands and executes them on the device.

The output of the executed command is converted to base64 text, which can be used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that the stager submits to the attacker’s public Microsoft Teams webhook. As Microsoft Teams renders flash cards for the user, Microsoft’s servers will connect back to the attacker’s server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command, resulting in the response’s output being successfully delivered to the GIFShell server running on the attacker’s server. The filename is then automatically decoded, allowing the attackers to see the output of the command run on the victim’s device.

The attacker can continue using the GIFShell server to send more GIFs with further embedded commands and receiving the output when Microsoft attempts to retrieve the GIFs.

As these requests are made by the Microsoft website, and used for regular Microsoft Teams communication, the traffic will be seen as legitimate by security software. This allows the GIFShell attack to covertly exfiltrate data by mixing the output of their commands with legitimate Microsoft Teams network communication.

One of the best tools for preventing any damage from such an attack is by using BUFFERZONE Safe Workspace to mitigate the attack. With Safe Workspace, MS Teams runs in a virtual container, assuring that any activity taking place in Teams is contained and cannot cause any damage outside the container. BUFFERZONE Safe Workspace protects the endpoint from the stager by isolating and preventing the installation of unauthorized executables. Furthermore, all source files and registry keys are preserved and protected. With a security policy that enforces frequently emptying the container, this type of attack will be prevented.

******

Ran Dubin, the author of the article, is the CTO of BUFFERZONE.