New Phishing Attacks Exploit GitHub, Telegram Bots, and ASCII QR Codes

A new tax-themed malware campaign has been detected targeting the insurance and finance sectors, utilizing GitHub links in phishing emails to evade security measures and deliver the Remcos Remote Access Trojan (RAT). This tactic highlights the growing adoption of GitHub as a tool for cybercriminals.

In this campaign, legitimate repositories like UsTaxes, HMRC, and InlandRevenue were used instead of less familiar, low-rated ones, according to Cofense researcher Jacob Malimban. He explained that using well-known repositories to distribute malware is a relatively new strategy, contrasting with previous attacks where threat actors created their own malicious GitHub repositories. These malicious links can be linked to any repository that permits comments.

A key aspect of the attack involves abusing GitHub infrastructure to host malicious files. One technique, first reported by OALABS Research in March 2024, involves uploading a malicious payload via a GitHub issue on a popular repository and then closing the issue without saving it. Despite the issue being unsaved, the uploaded malware remains accessible, creating an opportunity for attackers to store any file they choose, with the only trace being the file link itself.

This method has been exploited to trick users into downloading a Lua-based malware loader that establishes persistence on infected systems and delivers additional malware, as reported by Morphisec.

In the phishing campaign identified by Cofense, a similar method is used, but instead of GitHub issues, GitHub comments are employed to attach the malware. After posting the malicious file in a comment, the comment is deleted, but the link to the malware remains active and is distributed through phishing emails.

“Emails containing GitHub links are highly effective at bypassing Secure Email Gateway (SEG) protections because GitHub is generally seen as a trusted domain,” said Cofense researcher Jacob Malimban. “These links allow threat actors to directly link to malware archives in the email without relying on methods like Google redirects, QR codes, or other techniques designed to bypass SEG filters.”

This discovery coincides with Barracuda Networks’ report of new phishing methods, including the use of ASCII and Unicode-based QR codes, as well as blob URLs, to make malicious content harder to block and detect.

“A blob URI (also known as a blob URL or object URL) is used by browsers to represent binary data or file-like objects (blobs) that are temporarily stored in the browser’s memory,” explained security researcher Ashitosh Deshnur. “This allows developers to work with binary data, like images or files, directly in the browser without needing to send or receive it from an external server.”

In addition, new research from ESET has revealed that the cybercriminals behind the Telekopye Telegram toolkit have expanded their operations beyond online marketplace scams to target accommodation booking platforms like Booking.com and Airbnb, with a notable rise in activity reported in July 2024.

These attacks involve using compromised accounts of legitimate hotels and accommodation providers to reach potential victims. Scammers claim there is an issue with the booking payment and trick individuals into clicking on a fraudulent link that asks for their financial details.

“Scammers use access to these accounts to target users who have recently booked a stay and haven’t paid yet, or who just paid, contacting them through in-platform messaging,” explained researchers Jakub Souček and Radek Jizba. “Depending on the platform and the scammer’s settings, this leads to an email or SMS from the booking platform being sent to the target.”

This approach makes the scam harder to detect, as the information seems personally relevant, arrives through expected communication channels, and links to fake websites that appear legitimate.

Additionally, the scammers have improved their tactics by automating phishing page generation, enhancing communication with victims using chatbots, and protecting phishing websites from being disrupted by competitors. This has enabled them to speed up the scam process.

Telekopye’s operations have faced setbacks, however. In December 2023, law enforcement officials from Czechia and Ukraine arrested several cybercriminals involved with the malicious Telegram bot.

According to the Police of the Czech Republic, “The individuals involved developed, maintained, and improved Telegram bots and phishing tools, while ensuring accomplices’ anonymity and offering guidance on concealing criminal activities.”

ESET added that the groups were led by middle-aged men from Eastern Europe, West, and Central Asia. They recruited individuals facing difficult circumstances, using job ads promising “easy money,” and targeted tech-savvy foreign students at universities.