Tax Extension Malware Campaign: Threat Actors Target GitHub Comment Section to Bypass SEG
Summary:
Cofense has shared insights on a phishing campaign it detected earlier this year, where actors were observed using GitHub links to bypass email security gateways and distribute malware. These links were generated through the submission of GitHub comments, which can be added to the source code repository and may include but are not limited to proposed changes, more information from a user on an issue, or documentation. Typically GitHub comments can be submitted as formatted text, external links, and attachments, opening the door for malicious actors to use this feature to attach malware to a comment in a GitHub repository without having to upload it the the source code files of that repository. As shown below, unsanctioned files uploaded via comments end up in the files subdirectory:
hxxps[:]//github[.]com/python/cpython/files/12345678/example[.]zip
Through this method, files can be associated with a legitimate repository (e.g. python’s cpython repository) but not be visible in the code. In this case, even if the original comment containing the malware file is deleted, researchers note that the link to the malware will remain active and alive, allowing actors to send it to potential victims and infect their systems.
Security Officer Comments:
In the campaign uncovered by Cofense, threat actors sent phishing emails claiming to assist with filing taxes after the April 2024 deadline. Recipients were requested to access a tax-related documents archive via a GitHub link. This archive, which is password protected, was uploaded by comments to legitimate repositories owned by UsTaxes, HMRC, and InlandRevenue. If opened by the victim, the zip archive would lead to the installation of Remcos RAT, allowing actors to gain remote access to the victim’s system.
Victims of this campaign were limited to the Insurance and Finance sectors. According to researchers, one reason for this is that the actors were testing the effectiveness of this phishing technique before targeting other sectors. Then again, given that this was a tax-themed malware campaign, any industry could have been targeted.
Suggested Corrections:
Given GitHub’s popularity, the use of GitHub links can allow actors to bypass email security gateways. Furthermore, uploading malware to the files subdirectory of repositories like UsTaxes, HMRC, and InlandRevenue creates a sense of legitimacy, making it more challenging to detect these types of threats. Overall, users should always verify the email sender’s address and the contents of an email before anything else. GitHub repository owners should also regularly vet comments submitted to prevent the upload of malicious files.
Link(s):
https://cofense.com/blog/tax-extension-malware-campaign
Cofense has shared insights on a phishing campaign it detected earlier this year, where actors were observed using GitHub links to bypass email security gateways and distribute malware. These links were generated through the submission of GitHub comments, which can be added to the source code repository and may include but are not limited to proposed changes, more information from a user on an issue, or documentation. Typically GitHub comments can be submitted as formatted text, external links, and attachments, opening the door for malicious actors to use this feature to attach malware to a comment in a GitHub repository without having to upload it the the source code files of that repository. As shown below, unsanctioned files uploaded via comments end up in the files subdirectory:
hxxps[:]//github[.]com/python/cpython/files/12345678/example[.]zip
Through this method, files can be associated with a legitimate repository (e.g. python’s cpython repository) but not be visible in the code. In this case, even if the original comment containing the malware file is deleted, researchers note that the link to the malware will remain active and alive, allowing actors to send it to potential victims and infect their systems.
Security Officer Comments:
In the campaign uncovered by Cofense, threat actors sent phishing emails claiming to assist with filing taxes after the April 2024 deadline. Recipients were requested to access a tax-related documents archive via a GitHub link. This archive, which is password protected, was uploaded by comments to legitimate repositories owned by UsTaxes, HMRC, and InlandRevenue. If opened by the victim, the zip archive would lead to the installation of Remcos RAT, allowing actors to gain remote access to the victim’s system.
Victims of this campaign were limited to the Insurance and Finance sectors. According to researchers, one reason for this is that the actors were testing the effectiveness of this phishing technique before targeting other sectors. Then again, given that this was a tax-themed malware campaign, any industry could have been targeted.
Suggested Corrections:
Given GitHub’s popularity, the use of GitHub links can allow actors to bypass email security gateways. Furthermore, uploading malware to the files subdirectory of repositories like UsTaxes, HMRC, and InlandRevenue creates a sense of legitimacy, making it more challenging to detect these types of threats. Overall, users should always verify the email sender’s address and the contents of an email before anything else. GitHub repository owners should also regularly vet comments submitted to prevent the upload of malicious files.
Link(s):
https://cofense.com/blog/tax-extension-malware-campaign