A Sophisticated Cyber Threat
A new malware campaign that uses GitHub links in phishing email messages has been observed targeting the finance and insurance sectors. This method is gaining popularity among cybercriminals as it allows them to bypass security measures and deliver the Remcos RAT. Instead of using unknown, low-star repositories, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue are being exploited for this purpose.
Abusing GitHub Infrastructure
The core of the attack involves the misuse of GitHub infrastructure to stage malicious payloads. Cybercriminals open an issue on well-known repositories, upload a malicious payload, and then close the issue without saving it. This process allows the malware to remain even though the issue is not saved. This vector is ripe for abuse as it permits attackers to upload any file of their choice without leaving any trace except for the link to the file itself.
Weaponizing the Approach
This technique has been weaponized to trick users into downloading a Lua-based malware loader capable of establishing persistence on infected systems and delivering additional payloads. The phishing campaign detected uses GitHub comments to attach a file, i.e., the malware, after which the comment is deleted. However, the link remains active and is propagated via phishing emails.
Evading Security Measures
Emails with links to GitHub are effective at bypassing security measures because GitHub is typically a trusted domain. GitHub links allow threat actors to directly link to the malware archive in the email without having to use redirects, QR codes, or other bypass techniques.
Novel Phishing Methods
The development comes as new methods adopted by phishers are revealed, including ASCII- and Unicode-based QR codes and blob URLs, making it harder to block malicious content and evade detection.
Expanding Targets
New research indicates that the threat actors behind the Telekopye Telegram toolkit have expanded their focus beyond online marketplace scams to target accommodation booking platforms such as Booking.com and Airbnb.
Scamming Techniques
The attacks involve the use of compromised accounts of legitimate hotels and accommodation providers to contact potential targets, tricking them into clicking on a bogus link that prompts them to enter their financial information. This scam is difficult to spot as the information provided is personally relevant to the victims, arrives via the expected communication channel, and the linked, fake websites look as expected.
Improving the Scam Process
The diversification of the victimology footprint has been complemented by improvements to the toolkit that allow the scammer groups to speed up the scam process using automated phishing page generation, improve communication with targets via interactive chatbots, protect phishing websites against disruption by competitors, and achieve other goals.
Law Enforcement Actions
Despite the sophistication of these operations, they have not been without hiccups. In December 2023, law enforcement officials from Czechia and Ukraine announced the arrest of several cybercriminals alleged to have used the malicious Telegram bot.