Almost every office conversation has at least one person who believes themselves a GIF lord. If you’re fortunate, your employer may have one.
Someone who always gets the perfect reaction and brightens your day and the days of everyone else on the channel. More than likely, you have someone who responds to everything with strange emoticons and considers it their life’s mission to regulate the format’s pronunciation.
GIFs Might Not Be What You Think
Regardless of legendary status, it’s time to keep a careful eye on those GIF-obsessed employees. Bleeping Computer(opens in new tab) reports on an attack in Microsoft Teams that uses these amusing moving pictures to possibly install malicious files, conduct commands, and even extract data. Yeah, Blimothy’s strange and entirely out of place reaction from last week doesn’t seem so benign now, does it?
Fortunately, the procedure is divided into many phases. To begin, the desired target must install a stager in order to execute the commands provided by these naughty GIFs. Given that phishing attempts are still successful in 2022, (opens in new tab), it’s not that implausible. Given that these are most likely from a trustworthy source at work, it’s a simple and straightforward error to make.
That stager will then execute continuous scans on the Microsoft Team logs file, looking for any malicious code. The attackers would have given these GIFs a reverse shell. This will include base64 encoded commands that are saved in Teams and then executed on the target system. You may learn more about how these GIFShell assaults operate by visiting Bobby Rauch’s Medium website.
When an item is received, it is recorded in the conversation log and scanned by the stager. When it sees the constructed one, it will extract the base64 code, run it, and extract the text. This text will link to a remote GIF integrated on Team Survey cards. Because of how these function, it will then reconnect to the attacker in order to obtain the GIF, allowing the attackers to decode the file and gain access to other assaults.
