How GitHub, Telegram bots and QR codes are becoming the tools of a new wave of phishing attacks
Citizen
Citizen Sec , 14-10-2024
Recently, there has been a new malware campaign targeting the insurance and financial sectors. Attackers use links to GitHub in phishing emails to circumvent security measures and deliver malware called Remcos RAT. This means that this method is becoming increasingly popular among cybercriminals.
Cofense researcher Jacob Malimban noted that this campaign uses legitimate repositories such as UsTaxes, HMRC and InlandRevenue tax filing software instead of unknown low-rated repositories. Using trusted repositories to deliver malware is a relatively new tactic that allows attackers to bypass protection.
At the center of this attack is the abuse of the GitHub infrastructure to host malicious files. One of the variants of this technique, first disclosed by OALABS Research in March 2024, involves attackers opening a problem in known repositories and downloading a malicious file, after which the problem is closed without saving. As a result, the downloaded malware remains available even if the problem has not been saved.
This tactic is used to trick users into downloading a Lua-based malware loader that can establish a permanent presence on infected systems and deliver additional malicious files. The phishing campaign discovered by Cofense uses a similar approach, but instead uses comments on GitHub to attach a file (malware), after which the comment is deleted. The link to the file remains active and is distributed through phishing emails.
Emails with links to GitHub are effective for circumventing security measures, since GitHub is usually considered a trusted domain. This allows attackers to directly link to the malware archive in an email without resorting to other circumvention methods.
You will be interested
Как защитить детей в цифровом мире: почему безопасность в интернете — это важно
Современные дети растут в эпоху цифровых технологий — смартфоны, планшеты, социальные сети и онлайн-игры стали неотъемлемой частью их жизни. Интернет открывает массу возможностей для учёбы, творчества и общения, но вместе с этим приносит и серьёзные риски.
CitizenSec Author
30-05-2025Регламент по использованию корпоративной электронной почты
Правила использования корпоративной почты: что разрешено, что запрещено, меры безопасности и ответственность.
Citizen Sec
19-05-2025Women in cybersecurity from Kazakhstan
The special edition is dedicated to women in cybersecurity who overcome challenges, inspire others, and make the world safer. We share the stories of three professionals, their paths in cybersecurity, career advice, and tips on online security. Learn how to start your journey in cybersecurity and grow in this dynamic field.
CitizenSec Author
03-05-2025Attention to Everyday IT Tools: New Tactic of a Chinese Spy Group
Microsoft Warns: Chinese Spy Group Uses Everyday IT Tools to Hack Networks
Медет Турин
06-03-2025Zebo-0.1.0 and Cometlogger-0.1: Dangerous Programs Stealing Data and Controlling Computers
Experts have discovered two dangerous programs that seem harmless at first. These programs can steal personal data, monitor computer activity, and even take control of the system.
Citizen Sec
26-12-2024Postman Workspaces Expose Over 30,000 API Keys and Sensitive Tokens
Thousands of Postman workspaces accidentally revealed sensitive data such as API keys and access tokens. Learn how to secure your API development environment and protect your organization's data.
Citizen Sec
21-11-2024New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency
SteelFox was first identified in August 2023, but its activity has increased markedly. More than 11,000 infection attempts have been recorded in recent months.
Citizen Sec
11-11-2024Critical vulnerability CVE-2024-43093 threatens the security of Android users
This problem allows hackers to gain unauthorized access to important Android system folders.
Citizen Sec
05-11-2024ChatGPT was persuaded to create an exploit by slipping instructions in 16-bit format
A Mozilla researcher has proposed a new way to bypass content filters in large language models (LM) used to prevent abuse.
Citizen Sec
01-11-2024A new tool to bypass cookie encryption in Google Chrome: how does it work and what does it mean for your online security?
Recently, cybersecurity researcher Alexander Hagen has developed a tool that can bypass a new security feature in Google Chrome called App-Bound Encryption.
Citizen Sec
30-10-2024