A recently detected tax-themed malware campaign targeting insurance and finance sectors has emerged, utilizing GitHub links in phishing emails to evade security measures and distribute Remcos RAT, underscoring its growing popularity among malicious actors.
According to Cofense researcher Jacob Malimban, the team behind this marketing campaign leveraged professional repositories like open-source tax submitting software UsTaxes, HMRC, and InlandRevenue instead of lesser-known, lower-rated alternatives.
While leveraging trusted repositories for delivering malware is a relatively recent tactic, threat actors historically created their own malicious GitHub repositories. Malicious GitHub links are linked to repositories allowing feedback.
At the core of the attack mechanism lies the exploitation of GitHub’s infrastructure, where attackers utilize the platform to host and distribute malicious code. According to a March 2024 analysis by OALABS, threat actors may exploit well-known GitHub repositories by creating a new situation, uploading a malicious payload, and subsequently closing the issue without saving changes.
Despite the issue not being saved, it has been found that the uploaded malware persists, creating a vulnerability that can be exploited by attackers to upload arbitrary files without leaving any trace, except for the link to the file itself.
Morphisec recently exposed the alarming trend of a malicious technique being weaponised to deceive customers into installing a Lua-based malware loader, which enables it to maintain persistence on compromised systems and deliver further payloads with devastating effect.
The phishing marketing campaign detected by Cofense employs a similar tactic, differing only in its attempt to download a file – namely, malware – before deleting the comment. The malicious link remains active and spreads through phishing emails, perpetuating its harmful effects.
“According to Malimban, emails containing hyperlinks to GitHub can circumvent security gateway (SEG) safeguards due to the platform’s reputation as a trusted domain.” GitHub links enable malicious actors to directly link to malware archives in emails without relying on Google redirects, QR codes, or other social engineering gap (SEG) bypass techniques.
As Barracuda Networks unveiled fresh insights on phishing tactics, alongside new approaches employed by attackers to evade detection and bypass security measures?
“A blob URI, also known as a blob URL or object URL, is used by browsers to represent binary data or file-like objects – commonly referred to as blobs – that are temporarily stored in the browser’s memory,”
“Blob URIs enable developers to seamlessly interact with binary data such as images, videos, and files directly within the browser, eliminating the need for external servers to process or transmit this content.”
Cybercriminals exploiting Telegram-based toolkits have widened their scope beyond online marketplace fraud, targeting booking reservation platforms like Booking.com and Airbnb, as revealed by ESET’s recent analysis, with a notable spike observed in July 2024?
Scammers target unsuspecting victims through fraudulent hotel reservation notifications, allegedly offering discounted rates to entice them to click on malicious links and provide sensitive financial information.
“Scammers exploit the entry point to target unsuspecting hotel customers, focusing on those who have recently made a reservation and either haven’t paid yet or have made a recent payment. They initiate fraudulent conversations through the platform’s in-built chat function.” When configured to utilize the platform’s settings, the Mammoth system triggers a notification, either by email or SMS, upon receipt of a reservation.
The sophisticated phishing scheme makes it significantly more challenging to detect, leveraging personalized information tied to the unsuspecting targets, transmitted via expected channels, and authentic-looking websites that mirror familiar patterns.
What’s more, the victimology footprint has been diversified by enhancements to the toolkit that enable scammer teams to accelerate the rip-off process through automated phishing webpage technology, facilitate target communication via interactive chatbots, protect phishing websites from disruption by rivals, and achieve other objectives.
Telekopye’s operations have not been without their justifiable share of hiccups. In December 2023, law enforcement agencies from the Czech Republic and Ukraine collaborated to apprehend several cybercriminals accused of utilizing a malicious Telegram bot.
“According to a statement by the Police of the Czech Republic, programmers designed, updated, maintained, and enhanced Telegram bots and phishing tools, while ensuring the anonymity of accomplices online and providing guidance on concealing criminal activity.”
The teams responsible for the hack were reportedly managed from dedicated workspaces by middle-aged men from Japan, Europe, and West and Central Asia, according to cybersecurity firm ESET. Recruiters targeted individuals facing challenging life circumstances through job postings advertising “immediate financial compensation,” as well as leveraging their expertise among international students attending prestigious universities.
