Full Report
The cybercriminals have been spreading malware through malicious wedding invitations sent through private and group chats on Telegram and WhatsApp.
Analysis Summary
# Tool/Technique: Tria Malware
## Overview
Tria is a newly discovered Android malware family being distributed via malicious mobile applications disguised as fake wedding invitations. Its primary purpose is to steal sensitive user data, including SMS messages, emails (Gmail, Outlook), call logs, and data from messaging apps like WhatsApp and WhatsApp Business, with the ultimate goal of hijacking user accounts.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Data exfiltration (SMS, Email, Logs, Messaging Apps), potential account takeover via credential and authentication code theft.
- First Seen: Mid-2024
## MITRE ATT&CK Mapping
*Note: Specific ATT&CK mappings are inferred based on stated capabilities, as the article did not provide explicit mappings.*
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0011 - Credential Access**
- T1606 - Credentials from Web Session Cookie (Inferred if session tokens are stolen)
- **TA0005 - Defense Evasion**
- T1583.001 - Acquiring Infrastructure: Domains (Inferred if C2 infrastructure is established)
## Functionality
### Core Capabilities
- Stealing SMS messages.
- Stealing email content from Gmail and Outlook applications.
- Stealing call logs.
- Stealing data from WhatsApp and WhatsApp Business.
### Advanced Features
- Utilization of two dedicated Telegram bots to process and handle the exfiltrated data: one for general text (emails/IMs) and another specifically for SMS data.
- Used as a component in a social engineering campaign involving fake wedding invitations distributed via Telegram and WhatsApp.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: [Malicious mobile application installer associated with fake wedding invitations]
- Registry Keys: [Not specified in the article]
- Network Indicators: Data transmission likely occurs via Telegram bots established by the threat actors.
- Behavioral Indicators: Installation of an Android application prompted by an unsolicited invitation; attempts to access messages, emails, and call logs; communication with specific Telegram bots for data transfer.
## Associated Threat Actors
- Indonesian-speaking threat actors (tentative attribution based on language skills).
- Campaign is linked conceptually to the previous "UdangaSteal" campaign which targeted Indonesia, Malaysia, and India.
## Detection Methods
- Signature-based detection: Detection of the specific Tria malware binary through known hashes (if released).
- Behavioral detection: Monitoring for unwarranted access to SMS databases, email clients, and messaging application data directories on Android devices. Monitoring for outbound traffic to known C2 infrastructure (Telegram bots used for data exfiltration).
- YARA rules: [Not specified in the article]
## Mitigation Strategies
- Prevention: Extreme caution when installing mobile applications received from unsolicited sources (especially via chat applications like Telegram/WhatsApp). Verify the legitimacy of invitations through secondary, trusted communication channels.
- Hardening recommendations: Ensure Play Protect or equivalent security software is active on Android devices. Limit application permissions, especially for reading SMS and accessing accessibility services, unless absolutely necessary for a trusted application.
## Related Tools/Techniques
- UdangaSteal: A similar Android malware campaign uncovered previously by Kaspersky, employing different tactics but focusing on SMS theft.