A brand new tax-themed malware marketing campaign concentrating on insurance coverage and finance sectors has been noticed leveraging GitHub hyperlinks in phishing electronic mail messages as a solution to bypass safety measures and ship Remcos RAT, indicating that the tactic is gaining traction amongst menace actors.
“In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories,” Cofense researcher Jacob Malimban stated.
“Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments.”
Central to the assault chain is the abuse of GitHub infrastructure for staging the malicious payloads. One variation of the approach, first disclosed by OALABS Analysis in March 2024, entails menace actors opening a GitHub challenge on well-known repositories and importing to it a malicious payload, after which closing the problem with out saving it.
In doing so, it has been discovered that the uploaded malware persists despite the fact that the problem isn’t saved, a vector that has turn into ripe for abuse because it permits attackers to add any file of their selection and never depart any hint aside from the hyperlink to the file itself.
The strategy has been weaponized to trick customers into downloading a Lua-based malware loader that’s able to establishing persistence on contaminated methods and delivering further payloads, as detailed by Morphisec this week.
The phishing marketing campaign detected by Cofense employs an identical tactic, the one distinction being that it makes use of GitHub feedback to connect a file (i.e., the malware), after which the remark is deleted. Like within the aforementioned case, the hyperlink stays energetic and is propagated through phishing emails.
“Emails with links to GitHub are effective at bypassing SEG security because GitHub is typically a trusted domain,” Malimban stated. “GitHub links allow threat actors to directly link to the malware archive in the email without having to use Google redirects, QR codes, or other SEG bypass techniques.”
The event comes as Barracuda Networks revealed novel strategies adopted by phishers, together with ASCII- and Unicode-based QR codes and blob URLs as a solution to make it more durable to dam malicious content material and evade detection.
“A blob URI (also known as a blob URL or an object URL) is used by browsers to represent binary data or file-like objects (called blobs) that are temporarily held in the browser’s memory,” safety researcher Ashitosh Deshnur stated.
“Blob URIs allow web developers to work with binary data like images, videos, or files directly within the browser, without having to send or retrieve it from an external server.”
It additionally follows new analysis from ESET that the menace actors behind the Telekopye Telegram toolkit have expanded their focus past on-line market scams to focus on lodging reserving platforms equivalent to Reserving.com and Airbnb, with a pointy uptick detected in July 2024.
The assaults are characterised by means of compromised accounts of reliable accommodations and lodging suppliers to contact potential targets, claiming purported points with the reserving cost and tricking them into clicking on a bogus hyperlink that prompts them to enter their monetary data.
“Using their access to these accounts, scammers single out users who recently booked a stay and haven’t paid yet – or paid very recently – and contact them via in-platform chat,” researchers Jakub Souček and Radek Jizba stated. “Depending on the platform and the Mammoth’s settings, this leads to the Mammoth receiving an email or SMS from the booking platform.”
“This makes the scam much harder to spot, as the information provided is personally relevant to the victims, arrives via the expected communication channel, and the linked, fake websites look as expected.”
What’s extra, the diversification of the victimology footprint has been complemented by enhancements to the toolkit that enable the scammer teams to hurry up the rip-off course of utilizing automated phishing web page technology, enhance communication with targets through interactive chatbots, defending phishing web sites towards disruption by rivals, and different targets.
Telekopye’s operations haven’t been with out their fair proportion of hiccups. In December 2023, regulation enforcement officers from Czechia and Ukraine introduced the arrest of a number of cybercriminals who’re alleged to have used the malicious Telegram bot.
“Programmers created, updated, maintained and improved the functioning of Telegram bots and phishing tools, as well as ensuring the anonymity of accomplices on the internet and providing advice on concealing criminal activity,” the Police of the Czech Republic stated in a press release on the time.
“The groups in question were managed, from dedicated workspaces, by middle-aged men from Eastern Europe and West and Central Asia,” ESET stated. “They recruited people in difficult life situations, through job portal postings promising ‘easy money,’ as well as by targeting technically skilled foreign students at universities.”
