GitHub, Telegram Automatons, and QR Codes Misused in Fresh Surge of Deceptive Assaults
An innovative tax-themed malware scheme targeting insurance and finance sectors has been witnessed exploiting GitHub URLs in misleading email communications as a method to circumvent security measures and distribute Remcos RAT, hinting that the approach is gaining popularity among malevolent actors.
“In this scheme, reputable repositories such as the open-source tax preparation software, UsTaxes, HMRC, and InlandRevenue were employed instead of unknown, poorly-rated repositories,” Jacob Malimban, a researcher at Cofense, stated.
“Employing trusted repositories to disseminate malware is fairly recent compared to threat actors forming their own malicious GitHub repositories. These malevolent GitHub hyperlinks can be linked to any repository that accepts comments.”
Key to the assault sequence is the exploitation of GitHub infrastructure for staging the malevolent payloads. An iteration of the approach, initially revealed by OALABS Research in March 2024, entails malevolent actors creating a GitHub issue on well-known repositories and uploading a malicious payload there, and subsequently closing the issue without saving it.
Through this technique, it has been ascertained that the uploaded malware endures even though the issue is not saved at all, a pathway that has become ripe for exploitation as it enables attackers to upload any desired file without leaving any trace other than the file link itself.
The approach has been weaponized to deceive users into downloading a Lua-based malware loader capable of establishing persistence on compromised systems and dispensing additional payloads, as Morphisec elaborated earlier this week.
The phishing campaign identified by Cofense employs a similar strategy, with the only distinction being the utilization of GitHub annotations to append a file (i.e., the malware), after which the annotation is eradicated. Resembling the aforementioned case, the link remains active and is disseminated through deceptive emails.
stated. “This results in the Mammoth getting an email or SMS from the booking platform.”
“This makes the deception much more difficult to detect, as the shared details are personally significant to the targets, arrive through the anticipated communication medium, and the connected, counterfeit websites appear as anticipated.”
In addition, the broadening of the victimology footprint has been accompanied by enhancements to the toolkit that enable the groups of scammers to accelerate the deception process using automated creation of phishing pages, enhance interaction with targets through responsive chatbots, safeguard phishing websites against interference by competitors, and pursue other objectives.
The operations of Telekopye have not been free of challenges. In December 2023, authorities from Czechia and Ukraine declared the apprehension of multiple cybercriminals who are accused of exploiting the malicious Telegram bot.
“Developers devised, upgraded, managed, and refined the operation of Telegram bots and phishing tools, along with ensuring the anonymity of collaborators online and offering guidance on concealing criminal activities,” the Police of the Czech Republic stated in a declaration at that time.
“The entities involved were supervised, from specific workspaces, by individuals of middle age from Eastern Europe and West and Central Asia,” ESET declared. “They recruited individuals facing challenging life circumstances, through job postings on online platforms promising ‘easy earnings,’ as well as by targeting technically adept foreign students at educational institutions.”
About Author
