Almost every workplace chat has that one person who considers himself a GIF Lord. If you’re lucky, your workplace might even have one. Someone who nails the perfect reply GIF every time and brightens your day and the day of everyone else in the channel. You’re more likely to have someone who responds to everything with weird, awkward GIFs and sees overseeing the format’s pronunciation as a crusade in their lives.
Regardless of legendary status, it’s time to cast a wary eye on these lucky GIF employees. computer beeps (opens in new tab) tells about an exploit in Microsoft Teams that uses GIFs to install potentially malicious files, execute commands and even extract data about these funny moving images. Yeah, that random and totally inappropriate reaction GIF Blimothy posted last week doesn’t seem so harmless now, does it?
Thankfully, there are a few steps to the process. First of all, the intended target needs to install a stager to execute the commands given via these naughty GIFs. Considering that phishing attacks are still successful this year of our GIF Lord 2022, (opens in new tab) it’s not that unlikely. Especially considering these are likely to be from a trusted working source, it’s probably an innocent and easy mistake to make.
From here, this stager runs continuous scans of the Microsoft Team log file, looking for malicious GIFs. These GIFs have been given an inverted shell by the attackers. This contains base64 encoded commands that are stored in Team’s GIFs and then performs malicious actions on the targeted computer. You can learn more about how these GIFShell attacks work by discovering, Bobby Rauch’s, middle page. (opens in new tab)
Best gaming mouse (opens in new tab): the best rodents for games
Best gaming keyboard (opens in new tab): your PC’s best friend…
Best gaming headset (opens in new tab): Do not ignore in-game audio
Once the GIF is received, it is saved in the chat log, which is then scanned by the stager. When it sees the rendered GIF, it will extract that base64 code and run and extract the text. This text links to a remote GIF embedded in Teams poll cards. Because of how it works, it then connects to the attacker to retrieve the GIF, allowing the attackers to decrypt the file and gain access to further attacks.
Essentially, this requires a number of different available exploits in Teams to work, so hopefully a fix should come from Microsoft soon. Changing where team logs are stored or how the program retrieves GIFs would probably be enough to put a stop to any bad guys. At least now you have an actual reason to judge someone for using weird GIFs.
This article was previously published on Source link