GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks

A new phishing campaign targeting the insurance and finance sectors uses GitHub, Telegram bots, and ASCII QR codes to deliver malware and evade security measures. The attack leverages GitHub links and trusted repositories to distribute Remcos RAT, with the payload delivered via phishing emails. Additional techniques such as blob URLs and QR code-based phishing add complexity to detection, while Telegram bots facilitate scams on platforms like Booking.com and Airbnb.

  • GitHub Abuse: Phishing emails include GitHub links to trusted repositories to deliver malware, bypassing security filters.
  • Remcos RAT: The campaign distributes Remcos RAT malware via Lua-based loaders that establish persistence and deliver further payloads.
  • Malicious GitHub Comments: Attackers use GitHub comments to upload malicious payloads, leaving only the link behind after deletion.
  • New Techniques: ASCII QR codes and blob URLs are employed to evade detection and complicate phishing protection.
  • Telekopye Telegram Toolkit: The toolkit, once focused on marketplace scams, now targets accommodation booking platforms with interactive phishing attacks.
  • Law Enforcement Action: Cybercriminals behind the Telekopye toolkit were arrested in December 2023 by Czech and Ukrainian authorities.

These phishing strategies demonstrate the evolving tactics of cybercriminals in using trusted platforms to bypass security measures and reach unsuspecting victims.