Android向けのマルウエアとVishingを組み合わせたLetscall ツールキットを使用するキャンペーンについてThreatFabric が報告。偽のGoogle Play ストアのインストールで攻撃が始まり、銀行にかけたはずの通話も攻撃者に転送されるようになる。今回分析したケースは韓国を標的としたものとみられるが、Letscallの管理パネルでは日本語の言語サポートも行われている模様。

Letscall – new sophisticated Vishing toolset

07 July 2023
In recent years, the rise of Vishing, also known as Voice over IP Phishing, has become so popular that it has eroded trust in calls from unknown numbers.

Receiving calls from contacts pretending to be Bank employees is an unwelcome scenario, although the possibility that all incoming calls you receive during the day come from a fraudster is extremely high. During our daily threat-hunting activities, we came across a previously unseen group of malicious applications similar to others reported by Kaspersky.

The threat actor group behind these campaigns refers to this toolset as “Letscall”, which currently targets individuals from South Korea. Technically, there is nothing prohibiting them to extend the landscape of the attack to European Union countries. In other words, we are dealing with a ready-to-use framework which could be used by any threat actor, as it contains all instructions and tools on how to operate the affected devices and how to communicate with the victims.

The group likely consists of:

Android developers familiar with the modern concept of VOIP traffic routing. We say “developers” as we observed command naming differences in one of the stages.
Designers responsible for Web pages, icons, and the content for administration panel, Phishing web pages, and mobile malicious applications.
Frontend developers familiar with JavaScript development including VOIP traffic processing.
Backend developers familiar with techniques to secure backend API from unauthorised access.
Call operators with voice social engineering attack skills, who can speak different languages fluently.
The attack consists of three stages:

The victim visits a specially crafted phishing web page that looks like Google Play Store. From that page, the victim downloads the first stage of the malicious applications chain.

This first stage (we will call it the downloader) runs preparations on the device, obtains the necessary permissions, opens the phishing web page, and installs the second stage malware, which will be downloaded from the control server.
The second stage is a powerful spyware application that will help the attacker to exfiltrate data as well as to enrol the infected device into the P2P VOIP network used to communicate with the victim using video or voice calls. This application also drops a third stage, the next piece of the chain.
Letscall uses WEBRTC technology to route the VOIP traffic and to connect the victim with call-centre operators. To achieve maximum phone or video call quality and to overcome NAT and firewall, Letscall uses STUN/TURN methods, including Google STUN servers.
The third stage is a companion application for the second stage malware and extends some functions: it contains phone call functionality, used to redirect the call from the victim device to the attacker call centre.

jyrosecurity (3)
Nash (4)
previous arrowprevious arrow
next arrownext arrow