Tuesday, October 15, 2024
HomeCyber Security NewsLetscall – New Sophisticated Voice over IP Phishing Attack Steal Banking Details

Letscall – New Sophisticated Voice over IP Phishing Attack Steal Banking Details

Published on

Malware protection

Vishing’s popularity has surged significantly in recent years, and this phenomenon is gradually destroying the trust factor in unknown calls from numbers that are unknown due to the rise in Voice over IP Phishing.

Commonly, calls from bank employees or salespeople occur, but what if a scammer dials instead? Recently, there has been a warning about a new and sophisticated type of phone scam called “Letscall,” where scammers trick people through voice communication.

The cybersecurity researcher at ThreatFabric discovered and released a warning about this emerging and advanced form of voice phishing (vishing).

- Advertisement - SIEM as a Service

Multi-stage Attack Chain

From a fake Google Play Store site, the operators of the “Letscall” trick the victims into downloading malicious apps by executing a multi-step attack. The victim fetches the initial stage of the malicious app chain from that page.

Here below, we have mentioned all the three stages it involves:-

  • The first stage involves the following things:-
  • Prepares the device.
  • All the necessary permissions are obtained.
  • Launches the phishing page.
  • Then from the control server, download and install the second-stage malware.
  • In the second stage through video or voice calls with the victim, a powerful spyware application enables the attacker to infect the targeted device by extracting data and enlisting the infected device in a P2P VOIP network for communication. App drops the third stage, connecting the victim to operators via Letscall’s WEBRTC. Maximum call quality ensured, NAT/firewall bypassed with STUN/TURN methods, including servers from Google STUN.
  • The third stage complements the second-stage malware, adding functionalities such as call redirection from the victim device to the call center that is under the control of the attacker.
Letscall Attack Chain

Vishing attacks have evolved, becoming technologically advanced. Fraudsters now employ modern voice traffic routing tech and automated victim calls with pre-recorded messages to use as lures.

As call operators who are skilled in voice social engineering attacks, the “Letscall” group comprises:-

  • Android developers
  • Designers
  • Frontend developers
  • Backend developers

Downloader

Besides this, it’s still unknown how the attacker lures the victim to the decoy page, possibly with the help of two types of attack, and here they are mentioned below:-

  • Blackhat SEO technique
  • Social engineering

Moreover, cybersecurity analysts discovered Google Play-like pages that are primarily optimized for mobile screens, but interestingly, they’re in Korean.

Technically, the Downloaders that are employed are somewhat simple and specific apps, which occasionally utilize custom methods.

During the initial download, Letscall Tencent Legu and Bangcle (SecShell) obfuscation is incorporated by the malware. In ZIP directories, it uses complex naming, and then to evade the security systems, it corrupts the manifest in later stages.

Such attacks can lead to major consequences, loading victims with significant loan repayments. While these intrusions are underestimated by financial institutions in most cases.

At the moment, it’s limited to South Korea only, but security analysts warn that threat actors could easily expand to other regions like the European Union due to the lack of technical barriers.

IoCs

Here below, we have mentioned the indicators of compromise:-

File sha256 hashes

Downloader

a522a039ec619a60618c2c8a9e65adb0ff6105b655c1f9b3796e52e0d25958cb

Second stage

22109901f8290dc2319bd9b49e6bf71f9ddc1af482ddb67fc6e1c3b09ecad9c8

Third stage

bf5259bf53e3747d37d21dbf43b54ff8fa3c57fc991b53fcd320658b6cf34db9

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...