GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks

A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors.

“In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories,” Cofense researcher Jacob Malimban said.

“Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments.”

Central to the attack chain is the abuse of GitHub infrastructure for staging the malicious payloads. One variation of the technique, first disclosed by OALABS Research in March 2024, involves threat actors opening a GitHub issue on well-known repositories and uploading to it a malicious payload, and then closing the issue without saving it.

In doing so, it has been found that the uploaded malware persists even though the issue is never saved, a vector that has become ripe for abuse as it allows attackers to upload any file of their choice and not leave any trace except for the link to the file itself.

The approach has been weaponized to trick users into downloading a Lua-based malware loader that is capable of establishing persistence on infected systems and delivering additional payloads, as detailed by Morphisec this week.

The phishing campaign detected by Cofense employs a similar tactic, the only difference being that it utilizes GitHub comments to attach a file (i.e., the malware), after which the comment is deleted. Like in the aforementioned case, the link remains active and is propagated via phishing emails.

“Emails with links to GitHub are effective at bypassing SEG security because GitHub is typically a trusted domain,” Malimban said. “GitHub links allow threat actors to directly link to the malware archive in the email without having to use Google redirects, QR codes, or other SEG bypass techniques.”

The development comes as Barracuda Networks revealed novel methods adopted by phishers, including ASCII- and Unicode-based QR codes and blob URLs as a way to make it harder to block malicious content and evade detection.

“A blob URI (also known as a blob URL or an object URL) is used by browsers to represent binary data or file-like objects (called blobs) that are temporarily held in the browser’s memory,” security researcher Ashitosh Deshnur said.

“Blob URIs allow web developers to work with binary data like images, videos, or files directly within the browser, without having to send or retrieve it from an external server.”

It also follows new research from ESET that the threat actors behind the Telekopye Telegram toolkit have expanded their focus beyond online marketplace scams to target accommodation booking platforms such as Booking.com and Airbnb, with a sharp uptick detected in July 2024.

The attacks are characterized by the use of compromised accounts of legitimate hotels and accommodation providers to contact potential targets, claiming purported issues with the booking payment and tricking them into clicking on a bogus link that prompts them to enter their financial information.

“Using their access to these accounts, scammers single out users who recently booked a stay and haven’t paid yet – or paid very recently – and contact them via in-platform chat,” researchers Jakub Souček and Radek Jizba said. “Depending on the platform and the Mammoth’s settings, this leads to the Mammoth receiving an email or SMS from the booking platform.”

“This makes the scam much harder to spot, as the information provided is personally relevant to the victims, arrives via the expected communication channel, and the linked, fake websites look as expected.”

What’s more, the diversification of the victimology footprint has been complemented by improvements to the toolkit that allow the scammer groups to speed up the scam process using automated phishing page generation, improve communication with targets via interactive chatbots, protecting phishing websites against disruption by competitors, and other goals.

Telekopye’s operations have not been without their fair share of hiccups. In December 2023, law enforcement officials from Czechia and Ukraine announced the arrest of several cybercriminals who are alleged to have used the malicious Telegram bot.

“Programmers created, updated, maintained and improved the functioning of Telegram bots and phishing tools, as well as ensuring the anonymity of accomplices on the internet and providing advice on concealing criminal activity,” the Police of the Czech Republic said in a statement at the time.

“The groups in question were managed, from dedicated workspaces, by middle-aged men from Eastern Europe and West and Central Asia,” ESET said. “They recruited people in difficult life situations, through job portal postings promising ‘easy money,’ as well as by targeting technically skilled foreign students at universities.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.