Currently, LetsCall is targeting users in South Korea, but considering how sophisticated it is, researchers believe attackers can expand this campaign to European Union countries.
The rise of Vishing (voice or VoIP phishing) has impacted consumers’ trust in unidentified callers. Usually, calls from bank employees or salespeople are common, but what if a fraudster makes the call?
According to a report from ThreatFabric, published on 7 July 2023, vishing attacks have become much more sophisticated lately. In a newly detected muli-stage vishing campaign attackers are using an advanced toolset dubbed LetsCall, featuring strong evasion tactics.
LetsCall is targeting users in South Korea, but considering how sophisticated it is, ThreatFabric researchers believe attackers can expand this campaign to European Union countries. What makes it unique is that it is a “ready-to-use framework, which any threat actor could use.”
LetsCall Attack Stages
This attack comprises three stages. Researchers dubbed the first stage the Downloader, in which preparations run on the device, necessary permissions are obtained, and a phishing web page is displayed. Afterwards, the second stage of malware is downloaded from the control server.
In the first stage, the victim visits the attacker’s specially crafted phishing web page, which looks like Google Play Store and is tricked into downloading the malicious application chain.
The second stage entails a powerful spyware application. The attacker exfiltrates data and enrols the infected device into the P2P VOIP network to make voice/video calls to the victim. A legit service called ZEGOCLOUD is also abused to facilitate VOIP communication/messaging.
Since such communications are enabled through WEB RTC, the attacker uses relay servers, particularly the publicly available STUN/TURN servers, including Google STUN and self-configured servers. This process may leak credentials in the application code.
Communication can be enabled via web sockets, which may cause duplication of commands from the P2P service and web socket. An attacker can configure a white list for the phone numbers to be redirected to and a blacklist for numbers that should bypass redirection. Researchers also noted the use of nanoHTTPD for creating a local HTTP server.
In the third stage, a companion application for the second-stage malware is launched to extend its functionalities. It features phone call functionality to redirect calls from the victim’s device to the attacker’s call centre. Its APK file is similar to the second stage APK as both have the same evasion techniques and XOR-encrypted DEX files in the APK file’s root folder.
This application has a large code base and an interesting package called “phonecallapp” that contains code for the phone call manipulation attack. It can intercept incoming/outgoing calls and reroute them per the attacker’s desire. For phone call processing, attackers use a local SQLite database, the structure of which is as follows:
Part of the APK assets is pre-prepared MP3 voice messages played to the victim if outgoing bank call attempts are needed just to add legitimacy to the process by guiding the caller to the best operator from the bank. Here’s the transcript of one of these messages translated from Korean to English:
“Hello, this is Hana Bank. For … Press 1 for remittance to Hana Bank, 2 for remittance to another bank, and 3 for transaction details. For credit card connection, press 6 for other services.”
Many MP3 files imitate DTMF dialling codes to simulate sounds a victim produces when dialling pad numbers. Moreover, the third stage includes a set of commands, including Web socket commands.
The Frontend app also features tutorials and demos; two demos ThreatFabric researchers downloaded and observed the full infection chain and numerous backend APIs divided into Admin and Sys-user.
How are the Victims Tricked?
It is unclear how the attacker convinces the victim to visit the web page. Researchers suspect that attackers might be using Black SEO or social engineering techniques. What’s clear is that the pages mimic the Google Play store and can be viewed on mobile screens.
These are in the Korean language, but the script has comments in the Chinese language. Three pages researchers saw mimicked Banksalad (Loan comparison aggregator), Finda (loan comparison aggregator), and KICS (Korea Information System of Criminal-Justice Services).
Each asked for sensitive data like Resident Registration Number/ID, phone number, salary, home address, and employer identity. The data gets transferred to attackers and into a genuine loan aggregator page to request a loan.
Vishing Attacks: An Ever-Evolving Threat
Threat Fabric’s latest report has raised concerns among the cybersecurity fraternity by explaining how sophisticated vishing tools have become in trapping unsuspecting users. Per their observation, fraudsters are using modern tech for voice traffic routing. They have developed systems, aka auto-informers, capable of calling the victims automatically and even automating advertising via phone calls.
These systems play pre-recorded messages to lure users into visiting malicious URLs or giving away sensitive personal or financial data (e.g., bank account or credit card credentials).
They may even be lured into visiting their nearest ATM to withdraw cash. By combining vishing with mobile phone infection, scammers can request a micro-loan on behalf of the victim, which the victim will have to pay as financial institutions would not believe them.
If the victim suspects unusual activity, the fraudster will call them posing as the bank’s security team personnel to assure them nothing is wrong. After gaining complete control of the device, the attacker can reroute calls to any call center of their choice and even answer calls from the bank.
- New Vishing Attack Spreading FakeCalls Android Malware
- The Types of Phishing Attacks and How to Dodge All of Them
- China-Linked Spyware on Google Play Store Apps, 2m Downloads
- Phishing Scam Spoofs German Media, Broadband Conference Anga
- “Picture in Picture” Technique Exploited in New Deceptive Phishing Attack