A new tax-themed malware campaign targeting the insurance and financial sectors has been spotted using GitHub links in phishing emails as a way to bypass security measures and deliver the Remcos RAT, suggesting that this method is gaining popularity among threat actors.
“This campaign used legitimate repositories such as open tax filing software, UsTaxes, HMRC and InlandRevenue, instead of unknown, low-star repositories,” said Cofense researcher Jacob Malimban. said.
“The use of trusted repositories to deliver malware is relatively new compared to threat actors creating their own GitHub malware repositories. These malicious GitHub links can be linked to any repository that allows comments.”
Central to the attack chain is the abuse of GitHub’s infrastructure to host malicious payloads. One of the technique options, disclosed for the first time According to OALABS research in March 2024, threat actors open a GitHub issue in known repositories and upload a malicious payload to it, then close the issue without saving it.
In doing so, the downloaded malware was found to persist even if the problem never persists, a vector ripe for abuse as it allows attackers to download any file of their choosing and leave no trace other than a link to the file itself.
This approach has been weaponized to force users to download a Lua-based malware loader capable of installing persistence on infected systems and delivering additional payloads such as in detail from Morphisec this week.
The phishing campaign discovered by Cofense uses a similar tactic, with the only difference being that it uses GitHub comments attach a file (ie malware), after which the comment is deleted. As in the above case, the link remains active and is distributed through phishing emails.
“Emails linking to GitHub are effective at bypassing SEG security because GitHub is usually a trusted domain,” Malimban said. “GitHub links allow threat actors to directly link to a malware archive in an email without using Google redirects, QR codes, or other SEG bypass methods.”
The development came after Barracuda Networks disclosed new methods adopted by phishers, among others ASCII and Unicode based QR codes and blob url as a way to make it harder to block malicious content and avoid detection.
“A blob URI (also known as a blob URL or an object URL) is used by browsers to represent binary data or file-like objects (called blobs) that are temporarily stored in the browser’s memory,” – Ashitash Deshnur, security researcher said.
“Blob URIs allow web developers to work with binary data, such as images, videos, or files, directly in the browser without having to send or receive it from an external server.”
It also follows new research from ESET on what threat actors are behind telecopying The Telegram toolkit has expanded its focus beyond online fraud to target accommodation booking platforms such as Booking.com and Airbnb, with a spike identified in July 2024.
The attacks are characterized by using compromised accounts of legitimate hotels and accommodation providers to contact potential targets, claiming alleged problems with booking payments and tricking them into clicking on a fake link that prompts them to enter their financial information.
“Using their access to these accounts, fraudsters highlight users who have recently booked a stay and haven’t paid yet—or have paid very recently—and contact them via chat within the platform,” researchers Jakub Soucek and Radek Jizba said. “Depending on the platform and Mammoth’s settings, this results in Mammoth receiving an email or SMS from the booking platform.”
“This makes the scam much more difficult to detect because the information provided is personally relevant to the victims, comes through the expected communication channel, and the associated fake websites look as expected.”
Moreover, the diversification of the victimological trail has been complemented by the improvement of a set of tools that allow fraud groups to speed up the fraud process with the help of automatic generation of phishing pages, improve communication with targets through interactive chatbots, protect phishing websites from disruptions by competitors, and others goals.
Telekopye’s operations have not been without their share of failures. In December 2023, law enforcement agencies in the Czech Republic and Ukraine announced the arrest of several cybercriminals believed to be using a malicious Telegram bot.
“The programmers created, updated, maintained and improved the work of Telegram bots and phishing tools, as well as ensured the anonymity of accomplices online and provided advice on concealing criminal activity,” the Czech police said. said in a statement at the time.
“The groups in question were controlled from special workplaces by middle-aged men from Eastern Europe and Western and Central Asia,” ESET said. “They recruited people who found themselves in difficult life situations through job portal ads that promised ‘easy money’ and also targeted technically trained foreign students at universities.”
