A new malware campaign targeting the insurance and finance sectors has been observed leveraging GitHub links in phishing emails to bypass security measures and deliver the Remcos RAT malware. This tax-themed campaign, uncovered by cybersecurity researchers at Cofense, showcases how threat actors are using trusted platforms like GitHub to evade detection.
Phishing Tactics and GitHub Abuse
In this campaign, attackers used legitimate repositories like the open-source tax software UsTaxes and government-related repositories such as HMRC and InlandRevenue, instead of relying on low-star or unknown repositories. By using trusted repositories, attackers successfully tricked users into downloading malicious payloads.
Jacob Malimban from Cofense explained, “Using trusted repositories for malware delivery is a relatively new tactic compared to creating malicious GitHub repositories. This method is gaining traction, as these GitHub links can be associated with any repository allowing comments.”
Attackers exploited GitHub infrastructure by uploading malicious payloads through the issue section of well-known repositories. Even if the issue is never saved, the malware persists, leaving only a file link, creating a stealthy attack vector.
GitHub Links to Evade Email Security
The phishing emails, containing GitHub links, bypass standard security email gateways (SEGs), which typically trust GitHub as a legitimate domain. Once the user clicks on the link, they unknowingly download malware. In previous attacks, similar tactics were used to deliver malware loaders, which could establish persistence on infected systems.
“GitHub links are effective at bypassing SEG security because GitHub is seen as a trusted domain,” said Malimban. “Attackers no longer need to use more obvious methods like QR codes or Google redirects.”
Evolution of Phishing Techniques
Barracuda Networks has also observed novel phishing methods, such as ASCII- and Unicode-based QR codes and blob URLs, which make it harder to block malicious content and evade detection. Blob URLs represent binary data held temporarily in the browser, making it possible to manipulate data directly in the browser without needing an external server.
These developments coincide with new research from ESET, highlighting that the Telekopye Telegram toolkit, originally focused on online marketplace scams, is now targeting accommodation booking platforms like Booking.com and Airbnb. The scammers exploit compromised accounts of legitimate businesses to contact users with claims of issues regarding their booking payments.
Expansion of Phishing Operations
The attacks involving accommodation bookings have increased since July 2024. Using compromised accounts, scammers contact users through official channels, making the phishing attempt appear legitimate. Victims are tricked into providing their financial information via fake payment pages.
Researchers Jakub Souček and Radek Jizba noted, “The scammers exploit the trust users place in these platforms, sending messages through in-platform chats, which makes it harder to detect the scam as the communication appears expected.”
The phishing operations are becoming more sophisticated, with improvements to the toolkit that allow scammers to automate phishing page creation and use chatbots for better communication. This increases efficiency and makes it harder for victims to recognize the scam.
Law Enforcement Crackdown
Telekopye’s phishing operations have faced setbacks as law enforcement in Czechia and Ukraine arrested several cybercriminals in December 2023. These individuals were responsible for maintaining and developing malicious Telegram bots used to carry out phishing attacks.
“The cybercriminals were part of organized groups led by middle-aged men from Eastern Europe and West and Central Asia,” said ESET. The group recruited individuals facing economic hardships and technically skilled foreign students, luring them with promises of “easy money” through job portals.