Friday, June 21, 2024

Letscall – New Sophisticated Voice over IP Phishing Attack Steal Banking Details

Vishing’s popularity has surged significantly in recent years, and this phenomenon is gradually destroying the trust factor in unknown calls from numbers that are unknown due to the rise in Voice over IP Phishing.

Commonly, calls from bank employees or salespeople occur, but what if a scammer dials instead? Recently, there has been a warning about a new and sophisticated type of phone scam called “Letscall,” where scammers trick people through voice communication.

The cybersecurity researcher at ThreatFabric discovered and released a warning about this emerging and advanced form of voice phishing (vishing).

Multi-stage Attack Chain

From a fake Google Play Store site, the operators of the “Letscall” trick the victims into downloading malicious apps by executing a multi-step attack. The victim fetches the initial stage of the malicious app chain from that page.

Here below, we have mentioned all the three stages it involves:-

  • The first stage involves the following things:-
  • Prepares the device.
  • All the necessary permissions are obtained.
  • Launches the phishing page.
  • Then from the control server, download and install the second-stage malware.
  • In the second stage through video or voice calls with the victim, a powerful spyware application enables the attacker to infect the targeted device by extracting data and enlisting the infected device in a P2P VOIP network for communication. App drops the third stage, connecting the victim to operators via Letscall’s WEBRTC. Maximum call quality ensured, NAT/firewall bypassed with STUN/TURN methods, including servers from Google STUN.
  • The third stage complements the second-stage malware, adding functionalities such as call redirection from the victim device to the call center that is under the control of the attacker.
Letscall Attack Chain

Vishing attacks have evolved, becoming technologically advanced. Fraudsters now employ modern voice traffic routing tech and automated victim calls with pre-recorded messages to use as lures.

As call operators who are skilled in voice social engineering attacks, the “Letscall” group comprises:-

  • Android developers
  • Designers
  • Frontend developers
  • Backend developers

Downloader

Besides this, it’s still unknown how the attacker lures the victim to the decoy page, possibly with the help of two types of attack, and here they are mentioned below:-

  • Blackhat SEO technique
  • Social engineering

Moreover, cybersecurity analysts discovered Google Play-like pages that are primarily optimized for mobile screens, but interestingly, they’re in Korean.

Technically, the Downloaders that are employed are somewhat simple and specific apps, which occasionally utilize custom methods.

During the initial download, Letscall Tencent Legu and Bangcle (SecShell) obfuscation is incorporated by the malware. In ZIP directories, it uses complex naming, and then to evade the security systems, it corrupts the manifest in later stages.

Such attacks can lead to major consequences, loading victims with significant loan repayments. While these intrusions are underestimated by financial institutions in most cases.

At the moment, it’s limited to South Korea only, but security analysts warn that threat actors could easily expand to other regions like the European Union due to the lack of technical barriers.

IoCs

Here below, we have mentioned the indicators of compromise:-

File sha256 hashes

Downloader

a522a039ec619a60618c2c8a9e65adb0ff6105b655c1f9b3796e52e0d25958cb

Second stage

22109901f8290dc2319bd9b49e6bf71f9ddc1af482ddb67fc6e1c3b09ecad9c8

Third stage

bf5259bf53e3747d37d21dbf43b54ff8fa3c57fc991b53fcd320658b6cf34db9

“AI-based email security measures Protect your business From Email Threats!” – .

Website

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles