Fake wedding invitations infect SEA targets with Tria malware

Threat actors are distributing the Tria malware via fake wedding invitations in Southeast Asia, especially Brunei and Malaysia.

Based on reports, the campaign has been distributing the malware strain through private and group chats on Telegram and WhatsApp since last year. These emails invite users to weddings and urge them to install a mobile app to receive the invitation.

Once a user installs the fake wedding invitation, the campaign can run malware that collects critical information from SMS messages, emails (including Gmail and Outlook), phone records, and messaging programs such as WhatsApp and WhatsApp Business.

Researchers explained that these stolen details could allow threat actors to access online banking, reset passwords, or hijack accounts based on email and messaging app authentication.

However, the attackers’ primary goal appears to be gaining complete control of victims’ WhatsApp and Telegram accounts, which would allow them to spread malware or make fake money demands to connections.

The hackers also use a couple of Telegram bots to manage the stolen data. One bot gathers text from messaging applications and emails, while the other is for SMS data.

 

The Tria malware operators have prioritised targeting Android users in Malaysia.

 

The actual number of victims of the Tria malware campaign is still unknown. However, an investigation uncovered that the malware activity has already reached numerous Malaysian Android users.

Furthermore, the researchers have yet to attribute the campaign to a specific organisation, but evidence implies that the hackers could come from Indonesia.

A couple of years ago, a similar campaign known as UdangaSteal also targeted the Southeast Asian region. The hackers stole text messages from users in Indonesia, Malaysia, and India and transmitted the data to their servers using a Telegram bot.

The attackers used deceptive tactics to deceive users into installing malicious files, such as bogus wedding invites, package delivery notifications, annual tax payment reminders, and job offers.

Despite their similarities, experts identify significant distinctions between the two attacks, such as separate malware codes, geographic targets, and attack techniques.

Android users, especially those from SEA, should be wary of wedding invitations since threat actors have leveraged such tactics to launch malware. Users who do not have wedding activities to attend to in the coming days or weeks should avoid accepting downloads or attachments to prevent malware infection.