Vishing’s popularity has surged significantly in recent years, and this phenomenon is gradually destroying the trust factor in unknown calls from numbers that are unknown due to the rise in Voice over IP Phishing.
Commonly, calls from bank employees or salespeople occur, but what if a scammer dials instead? Recently, there has been a warning about a new and sophisticated type of phone scam called “Letscall,” where scammers trick people through voice communication.
The cybersecurity researcher at ThreatFabric discovered and released a warning about this emerging and advanced form of voice phishing (vishing).
Multi-stage Attack Chain
From a fake Google Play Store site, the operators of the “Letscall” trick the victims into downloading malicious apps by executing a multi-step attack. The victim fetches the initial stage of the malicious app chain from that page.
Here below, we have mentioned all the three stages it involves:-
- The first stage involves the following things:-
- Prepares the device.
- All the necessary permissions are obtained.
- Launches the phishing page.
- Then from the control server, download and install the second-stage malware.
- In the second stage through video or voice calls with the victim, a powerful spyware application enables the attacker to infect the targeted device by extracting data and enlisting the infected device in a P2P VOIP network for communication. App drops the third stage, connecting the victim to operators via Letscall’s WEBRTC. Maximum call quality ensured, NAT/firewall bypassed with STUN/TURN methods, including servers from Google STUN.
- The third stage complements the second-stage malware, adding functionalities such as call redirection from the victim device to the call center that is under the control of the attacker.
Vishing attacks have evolved, becoming technologically advanced. Fraudsters now employ modern voice traffic routing tech and automated victim calls with pre-recorded messages to use as lures.
As call operators who are skilled in voice social engineering attacks, the “Letscall” group comprises:-
- Android developers
- Designers
- Frontend developers
- Backend developers
Downloader
Besides this, it’s still unknown how the attacker lures the victim to the decoy page, possibly with the help of two types of attack, and here they are mentioned below:-
- Blackhat SEO technique
- Social engineering
Moreover, cybersecurity analysts discovered Google Play-like pages that are primarily optimized for mobile screens, but interestingly, they’re in Korean.
Technically, the Downloaders that are employed are somewhat simple and specific apps, which occasionally utilize custom methods.
During the initial download, Letscall Tencent Legu and Bangcle (SecShell) obfuscation is incorporated by the malware. In ZIP directories, it uses complex naming, and then to evade the security systems, it corrupts the manifest in later stages.
Such attacks can lead to major consequences, loading victims with significant loan repayments. While these intrusions are underestimated by financial institutions in most cases.
At the moment, it’s limited to South Korea only, but security analysts warn that threat actors could easily expand to other regions like the European Union due to the lack of technical barriers.
IoCs
Here below, we have mentioned the indicators of compromise:-
File sha256 hashes
Downloader
a522a039ec619a60618c2c8a9e65adb0ff6105b655c1f9b3796e52e0d25958cb
Second stage
22109901f8290dc2319bd9b49e6bf71f9ddc1af482ddb67fc6e1c3b09ecad9c8
Third stage
bf5259bf53e3747d37d21dbf43b54ff8fa3c57fc991b53fcd320658b6cf34db9
“AI-based email security measures Protect your business From Email Threats!” – .
