A recent tax-related malware campaign targeting insurance and finance sectors has been using GitHub links in phishing emails to deliver Remcos RAT, allowing threat actors to avoid security measures successfully.
Cofense researcher Jacob Malimban explained, “In this campaign, legitimate repositories like UsTaxes, HMRC, and InlandRevenue were utilized instead of unknown ones, making use of trusted sources to distribute malware.
The tactic involves leveraging GitHub infrastructure to store and share malicious payloads, a method first uncovered by OALABS Research earlier this year. Threat actors upload malware to GitHub issues on well-known repositories, enabling them to distribute it via email links.
Another variation of the technique was recently used to deliver a Lua-based malware loader, allowing attackers to establish persistence on compromised systems.
Malimban also noted that GitHub links in phishing emails are effective in bypassing security measures as GitHub is a trusted domain, making it easier for threat actors to distribute malware directly via email links.
Furthermore, phishers are exploring new methods like ASCII- and Unicode-based QR codes and blob URLs to evade detection and trick users into divulging sensitive information.
Recent research has also revealed the expanded targeting of accommodation booking platforms by cybercriminals using the Telekopye Telegram toolkit, indicating an increase in fraudulent activities in this sector.
The Telekopye toolkit has been associated with fraudulent activities targeting online marketplace scams, with scammers using compromised accounts to trick users into providing financial information.
Despite these challenges, law enforcement agencies have made progress in apprehending cybercriminals involved in such activities, highlighting the ongoing efforts to combat cybercrime.
