Tax-Themed Malware Campaign Uses GitHub Links to Spread Remcos RAT

Tax-Themed Malware Campaign Uses GitHub Links to Spread Remcos RAT

financial Published on October 13, 2024

Tax-Themed Phishing Campaign Uses GitHub to Deliver Remcos RAT

Explore how a tax-themed phishing campaign uses GitHub links to deliver Remcos RAT. Learn about tactics, impacts, and security measures to protect your organization.

Introduction

In the ever-evolving landscape of cybersecurity threats, a new tax-themed malware campaign has emerged, specifically targeting the insurance and finance sectors. This campaign leverages GitHub links within phishing emails as a method to bypass security measures and deliver the notorious Remcos RAT (Remote Access Trojan). This tactic signifies a shift in the strategies employed by threat actors, revealing a growing trend of utilizing trusted platforms for malicious purposes.

The Rise of Phishing Attacks: GitHub as a Delivery Mechanism

Phishing attacks have long been a primary method for cybercriminals to gain unauthorized access to sensitive data. However, the sophistication of these attacks has increased dramatically. The latest campaign exploits well-known GitHub repositories, such as legitimate open-source tax filing software like UsTaxes, as well as repositories associated with government entities like HMRC and InlandRevenue.

“Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. This shift increases the chances of successful exploitation.”
Jacob Malimban, Cofense Researcher

How the Campaign Operates

Central to this attack chain is the exploitation of GitHub’s infrastructure. One significant variation of this technique, first disclosed by OALABS Research in March 2024, involves attackers creating a GitHub issue on a reputable repository, uploading a malicious payload, and then closing the issue without saving it.

This technique leaves no visible trace of the attack, as the malware remains accessible via the link provided in the phishing email. This method is particularly effective because it uses a legitimate domain that security filters may overlook.

Mechanism of the Attack

  • Phishing Email Delivery: Victims receive emails containing links to malicious GitHub repositories, often with urgent tax-related messaging.
  • Accessing Malicious Links: Victims are directed to GitHub pages with instructions that appear legitimate but are designed to trick them into downloading malware.
  • Download and Installation: Malware is disguised as harmless tax-related files. Execution installs the Remcos RAT.
  • Persistence and Data Theft: Remcos RAT provides remote control, keystroke logging, file access, and unauthorized webcam/microphone use.

Impact of Using Trusted Repositories

The strategy of employing trusted repositories to host malware represents a significant evolution in phishing tactics. By associating malicious payloads with reputable sources, threat actors can effectively evade traditional security measures.

“Emails with links to GitHub are effective at bypassing SEG security because GitHub is typically a trusted domain.”
Jacob Malimban, Cofense

This tactic poses a unique challenge for organizations trying to protect their employees from falling victim to such schemes. As phishing campaigns become more sophisticated, businesses must adapt their security strategies.

Phishing Campaign Techniques: New Innovations in Evasion

The phishing campaign detected by Cofense employs several innovative tactics:

  • Use of GitHub comments to host malware files, followed by deletion to hide malicious intent.
  • Use of ASCII and Unicode-based QR codes to evade content filtering.
  • Use of blob URLs to deliver malware without traditional file download paths.

Understanding Blob URLs and Their Risks

A blob URL (or blob URI) is used by browsers to represent binary data or file-like objects held temporarily in memory.

“Blob URIs allow web developers to work with binary data like images, videos, or files directly within the browser, facilitating more dynamic interactions but also providing new opportunities for malicious exploitation.”
Ashitosh Deshnur, Security Researcher

Expanding the Target Landscape: From Finance to Hospitality

The ramifications of such phishing campaigns extend beyond just the finance sector. Research from ESET indicates that attackers have shifted focus to online accommodation platforms like Booking.com and Airbnb.

In these cases, scammers compromise hotel provider accounts to contact users about booking payment issues, making the scam seem more authentic.

“Using compromised accounts, scammers can provide information that is personally relevant to the victims, making it harder to spot the scam.”
Jakub Sou?ek & Radek Jizba, ESET Researchers

Protecting Against Phishing Attacks

To combat these sophisticated campaigns, organizations should implement:

  • Employee Education: Train employees regularly to spot and report phishing emails.
  • Multi-Factor Authentication (MFA): Use MFA for sensitive accounts to prevent unauthorized access.
  • Advanced Threat Detection Tools: Employ tools that scan emails and links for suspicious behavior.
  • Regular Security Audits: Evaluate and improve security infrastructure periodically.
  • Incident Response Plans: Have a tested plan in place to respond quickly to breaches.

Conclusion: Staying Vigilant Against Evolving Threats

As phishing tactics continue to evolve, the use of trusted platforms like GitHub to distribute malware highlights the importance of vigilance in cybersecurity. The ability to exploit reputable domains makes these attacks particularly dangerous.

By staying informed and implementing comprehensive security measures, organizations can better protect themselves from these sophisticated threats.