menu
techminis

A naukri.com initiative

New

google-web-stories
Home

>

Cyber Crime News

>

No need to...
source image

Securelist

2M

read

174

img
dot

Image Credit: Securelist

No need to RSVP: a closer look at the Tria stealer campaign

  • A new report by cybersecurity firm Kaspersky analyses the Tria Stealer campaign, which has been active since March 2024, and found it to be operated by an Indonesian-speaking individual or group that targeted locals in Malaysia and Brunei. The operator sends malicious Android apps to victims disguised as wedding invitations via personal and group chats on Telegram and WhatsApp. The apps collect data such as SMS messages and email communications and send it back to the attacker through various Telegram bots, which can hijack victims' personal messaging accounts and impersonate owners to request financial transfers.
  • Kaspersky recommends that individuals avoid installing apps from untrusted sources on their devices and use reliable security solutions to protect their mobile devices from attackers. The company also suggests that individuals be cautious while using messaging platforms and check the sender's information before clicking links or downloading files.
  • The malware, which is detected by Kaspersky products as HEUR:Trojan-Spy.AndroidOS.Agent.*, uses a phishing technique to target individuals in Malaysia and Brunei. Once the malware is downloaded, it gains access to SMS data, tracks call logs, messages, and email data to exfiltrate the sensitive data to various Telegram bots. The threat actor behind the malware then exploits this data to take over and sign in to the victims' various accounts.
  • Kaspersky researchers discovered several APK samples tagged as Trojan-Spy.AndroidOS.Agent, originating from Malaysia and Brunei. Further investigation revealed multiple posts by Malaysian Android users on X and Facebook discussing a scam campaign involving malicious APKs and WhatsApp hijacking. The malware was found to have two verisons, first one initially detected in March 2024 and second one in August 2024, which was slightly upgraded with additional functionality and adjusted wording in messages that were sent to Telegram bots.
  • The report estimates that the threat actor behind the Tria Stealer campaign will continue to target users in Malaysia and Brunei, aiming to take over new accounts and sign in to victims' accounts with various services to inflict further damage.
  • Kaspersky attributes the attack to an Indonesian-speaking group or individual, based on unique found strings written in the Indonesian language, used by the malware and the naming pattern of the Telegram bots for hosting the command-and-control servers.
  • Researchers at Kaspersky found that the malware communicates with a variety of Telegram bots to send the collected information back to the operator. A different Telegram bot was used for each of the samples investigated, with a separate one for collecting data from messaging apps and email, and another to collect SMS data.
  • The malware requests permission to read SMS messages, which is then used to access OTP/TAC codes used to hijack WhatsApp, Telegram, and other digital accounts. Kaspersky found that the malware is requesting all permissions declared in its manifest, including permissions to access messaging and call data and read phone, email, and social media messages.
  • In addition to monitoring incoming call activities and SMS messages, the malware's newer variant collects personal messages and emails from a range of mobile phone apps such as WhatsApp and Outlook, by intercepting notifications from these apps.
  • Kaspersky researchers observed that the same target will receive phishing messages from compromised WhatsApp and Telegram accounts, and the message content would vary depending on the threat actor's intentions. The same Twitter account is also used to send the APK to victims.
  • Researchers noted similarity between the Tria Stealer malware campaign and the UdangaSteal malware campaign that targeted individuals in Indonesia, Malaysia, and India in 2023 and early 2024 to steal SMS data and exfiltrate it to Telegram bots. However, Kaspersky did not attribute the Tria Stealer campaign to the same threat actor associated with UdangaSteal.

Read Full Article

like

10 Likes

share

2 Shares

For uninterrupted reading, download the app