Almost every workplace conversation has a person who fancies themselves a bit of a GIF lord. If you’re lucky, your workplace might actually have one. Someone who nails the perfect response GIF every time, brightening your day and the days of everyone else on the channel. More than likely, you have someone who replies to everything with weirdly obnoxious GIFs and considers it their life’s crusade to check the pronunciation of the format.
Well, regardless of legendary status, it’s time to shine a wary glow on these happy fellow GIFs. Bleeping calculator (opens in new tab) tells of an exploit in Microsoft Teams that uses GIFs to potentially install malicious files, execute commands, and even extract data through these fun animations. Yeah, that random and totally weird reaction GIF that Blimothy posted last week doesn’t seem so harmless now, does it.
Fortunately, there are a few steps to the process. First of all, the intended target needs to set a stage to execute the commands given through these naughty GIFs. Since phishing attacks are still successful in this year, the year of the GIF lord 2022, (opens in new tab) it’s not that unlikely. Especially considering that these are likely from a reliable source of work, it is possible for an innocent and easy mistake to be made.
From here, this stage will run continuous scans of the Microsoft team log, looking for any bad GIFs. These GIFs will have received a reverse shell from the attackers. This will contain base64 encoded commands stored in the group GIFs, which then perform malicious actions on the target machine. You can learn more about how these GIFShell attacks work via the discovery page, Bobby Rauch, Medium. (opens in new tab)
Once the GIF is received, it is saved to the chat log, which is then scanned by the player. On viewing the generated GIF, it will extract this base64 code and execute and extract the text. This text will link to a remote GIF embedded in Teams Survey cards. Because of the way they work, it will then connect back to the attacker to retrieve the GIF, allowing the attackers to decode the file and gain access to further attacks.
Essentially this requires a bunch of different exploits available in Teams to work, so hopefully there will be a fix soon from Microsoft. A change in where Teamlogs are stored or how the program retrieves GIFs would probably be enough to throw a wrench in the works of any villain. For now, at least you have a real reason to deny someone using weird GIFs.