Author: Jacob Malimban
In 2024 Cofense Intelligence detected a phishing campaign that used GitHub links to bypass Secure Email Gateway (SEG) security. In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories. Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments.
The lure of this phishing campaign was to provide tax extension assistance with little time left for delay. The linked archives on GitHub were password protected to provide legitimacy (for sending confidential information over email) and to thwart malware scanning solutions. The password protected archive contained Remcos Remote Access Trojan (RAT).
Key Points
- GitHub was used to deliver malware from trusted repositories, but the malware existed outside of the repository’s code.
- The trusted repositories that were abused were affiliated with legitimate tax organizations.
- GitHub is a brand trusted by users and SEGs. Threat actors using GitHub links in phishing emails can bypass SEG security.
- The phishing campaign targeted financial industries and claimed to help with filing taxes after the April deadline.
- Remcos RAT was delivered in all instances of this campaign.
What are GitHub Comments?
Figure 1: A GitHub comment that uploads a file without committing it to the repository.
GitHub is a developer platform that allows for open collaboration on software projects. To facilitate communication between developers, GitHub comments can be added to the source code repository. The content of these comments may include, but are not limited to, proposed changes, more information from a user on an issue, or documentation and can be submitted as formatted text, external links, and attachments. Comments are especially useful for project management using GitHub issues. Here, software developers can use it to document issues, create micro tasks for new contributors, receive requests for new features, and create a road map for the progress of the software.
GitHub comments are useful to a threat actor because malware can be attached to a comment in a GitHub repository without having to upload it to the source code files of that repository. This means that any organization’s legitimate GitHub repository that allows comments can contain unapproved files outside of the vetted code. This weakness has been exploited previously by attackers to deliver Redline Stealer via repositories associated with Microsoft. Unsanctioned files uploaded via comments end up in the files subdirectory:
hxxps[:]//github[.]com/python/cpython/files/12345678/example[.]zip
Note that vetted repository files are accessible from the tree subdirectory:
hxxps[:]//github[.]com/python/cpython/tree/main/Doc
Through the GitHub comments method, files can be associated with a legitimate repository (e.g. python’s cpython repository) but not be visible in the code. The original comment containing the malware files can be deleted, but the link to the malware will remain alive.
The GitHub Comments Tax Extensions Campaign
Figure 2: Remcos RAT archive download is still active, despite the threat actor’s comment being deleted.
Using GitHub to host malware is not a new tactic. Emails with links to GitHub are effective at bypassing SEG security because GitHub is typically a trusted domain. GitHub links allow threat actors to directly link to the malware archive in the email without having to use Google redirects, QR codes, or other SEG bypass techniques.
During late Q2 2024, threat actors launched phishing emails that claimed to assist with filing taxes after the April deadline. Recipients were encouraged to click on a GitHub link to receive the tax-related documents archive. In reality, the password-protected archive contains Remcos RAT instead of PDFs. If the victim opened the “tax documents”, Remcos RAT would install on the computer and give the threat actor remote access. A version of this campaign with the Remcos RAT executable directly hosted on a threat actor’s GitHub page is ongoing.
Remcos RAT was uploaded by comments to repositories owned by UsTaxes, HMRC, and InlandRevenue. Attackers used implicitly trusted sources such as His Majesty’s Revenue & Customs and New Zealand’s Inland Revenue repositories to add legitimacy to the tax extensions campaign. Despite the original comments being deleted, the Remcos RAT download link is still active.
Who Were Targeted?
Figure 3: Sample email delivering Remcos RAT via a GitHub comment link.
As this was a tax-themed malware campaign, any industry could have been targeted since most organizations pay taxes. Closer inspection of the data revealed that only two industries were targeted: Insurance and Finance. Note that any sector could have been targeted just like the QR code campaign that aimed at many industries, but this was not the case. One explanation is that this campaign is smaller in scope compared to the QR code campaign, and the threat actors were testing how effective this phishing would be against the Insurance and Finance sector.
Figure 4: Industries targeted by GitHub tax extension campaign.