GitHub, Telegram Bots, and QR Codes Exploited in Latest Phishing Attack Surge
A new tax-themed malware campaign has been detected, targeting the insurance and finance sectors. This campaign leverages GitHub links in phishing emails to bypass security filters and deliver Remcos RAT, indicating that this method is gaining popularity among cybercriminals.
“In this case, legitimate repositories like UsTaxes, HMRC, and InlandRevenue were used instead of suspicious, low-reputation repositories,” said Cofense researcher Jacob Malimban.
This tactic is noteworthy because, unlike the creation of malicious repositories, it abuses trusted ones. Threat actors are exploiting GitHub’s infrastructure by attaching malware to comments in these repositories. Even after the comment is deleted, the link to the malicious payload remains active, making it hard to trace.
A key component of the attack is the abuse of GitHub's platform to host malware payloads. A method, first identified by OALABS Research in March 2024, involves uploading malicious files to a GitHub issue and closing the issue without saving it, allowing the malware to persist without leaving visible traces.
This strategy has been weaponized to distribute a Lua-based malware loader that establishes persistence on the infected system and downloads additional malicious payloads. Cofense’s analysis found a similar tactic, where the malware is uploaded through GitHub comments, then deleted, leaving the link active and shared via phishing emails.
GitHub links are trusted by Secure Email Gateways (SEGs), allowing attackers to bypass traditional security measures and distribute malware directly. "Using GitHub links avoids the need for other SEG bypass techniques like Google redirects or QR codes," Malimban explained.
Meanwhile, Barracuda Networks highlighted new phishing techniques, such as ASCII and Unicode-based QR codes and blob URLs. A blob URI, commonly used in web development to handle binary data within browsers, is now being exploited to evade detection.
Adding to the growing threat landscape, ESET's recent research uncovered that threat actors behind the Telekopye Telegram toolkit have expanded from online marketplace scams to accommodation booking platforms, like Booking.com and Airbnb, with a spike in activity in July 2024.
These scams involve compromised hotel accounts contacting recent customers with fake payment issues, directing them to phishing links. The scams are difficult to detect as they use legitimate booking platforms to send personalized messages, making the fraud appear more credible.
Telekopye’s operations have become more sophisticated, with automated phishing page generation, interactive chatbots, and enhanced methods for evading competition. However, the group's success has faced setbacks, with arrests made in December 2023 by Czech and Ukrainian authorities, disrupting the operations of cybercriminals responsible for creating and maintaining phishing tools. These criminals were primarily middle-aged men from Eastern Europe and West and Central Asia, who recruited individuals in difficult situations or technically skilled students through misleading job offers.