Letscall Malware Redirects Victims’ Calls to Hacker Call Center for Voice Phishing

Letscall malware and voice phishing
ThreatFabric experts studied the Letscall malware toolkit, which is used for voice phishing in South Korea.

An interesting feature of these attacks is that if the victim tries to call the bank, the malware intercepts the call and redirects the attackers to the call center.

Once installed, this malware redirects victims’ calls to a call center controlled by hackers. There, specially trained operators posing as real bank employees learn confidential information from unsuspecting victims.

Letscall malware and voice phishing
Scheme of Letscall attacks

Let me remind you that hackers have also learned to use ChatGPT for phishing.

We also wrote about banking phishing using QR codes and a phishing campaign against Microsoft Office 365 users.

According to ThreatFabric, the hack group behind Letscall includes Android developers, designers, interface and backend developers, and call center operators specializing in voice attacks and social engineering.

Experts describe Letscall as a multifunctional spyware or RAT (Remote Access Trojan), which was created with great attention to video and audio communication with the victim, and is also focused on intercepting messages and phone calls. Location tracking is also an important target for these attackers.

It all starts with the creators of Letscall using a multi-stage attack to trick their victims into downloading malicious apps from a website that mimics the official Google Play Store. Apparently, black hat SEO and social engineering using spam are used for this.

Letscall malware and voice phishing
Fake Google Play Store

As a result, the infection is carried out in several stages: first, the downloader application, downloaded from the fictitious Google Play Store, prepares the victim’s device for installing powerful spyware: it receives the necessary permissions, opens the phishing page, and installs the second-stage malware received from the command and control server.

On the mentioned phishing page, which can imitate, for example, the sites of well-known loan offer aggregators, the victim is persuaded to provide confidential information: identity document details, phone number, home address, salary, name of the employer company, and so on. This data will be automatically transferred to attackers.

As a result, hackers either use the received data to fill out a similar form on the real site (to apply for a loan), or the phishing page generally acts as a proxy between the victim and the page of this loan aggregator.

Letscall malware and voice phishing

The second stage of the attack is the installation of a spyware application that helps the attackers steal data and also registers the infected device on the P2P VoIP network used to communicate with the victim via video or voice calls. In addition, this application prepares the launch of the third stage of the attack.

At the third stage, another application is installed on the victim’s device, which has the functionality to make phone calls. Attackers use it to redirect calls from the victim’s device to the call center of the hackers themselves.

Moreover, among the assets of the third APK there are pre-prepared voice messages in MP3 format that will be played back if the victim tries to call the bank.

Letscall malware and voice phishing

Hello, this is Hana Bank. Press “1” to transfer to Hana Bank, “2” to transfer to another bank, and “3” for transaction details. To activate a credit card and other services, press “6”.one of these messages reads.

The researchers note that Letscall uses WEBRTC, a VoIP traffic routing technology, to operate and connect victims with call center operators. In addition to high quality voice and video calls, as well as to bypass NAT and firewalls, hackers rely on STUN/TURN techniques, including Google’s STUN servers.

The third stage of the attack uses its own command set, which includes web socket commands. Some of these commands are responsible for manipulating the address book, such as creating and deleting contacts. Other commands pertain to creating, modifying, and removing filters that determine which calls should be intercepted and which should be ignored.the researchers write.

In addition, according to analysts, some versions of the bootloader were protected using Tencent Legu obfuscation or using Bangcle (SecShell). The second and third stages of the attack used long names in the directory tree of the ZIP files and various manifest mangling methods.

Voice phishing has evolved, become more technologically advanced and sophisticated, as now scammers use modern technologies for routing voice traffic and systems that automatically call the victim (the so-called auto-informers, which are usually used to automate advertising through phone calls), and play pre-recorded bait messages. If the victim falls for the bait, the call center operator will answer the call and tell to act as the scammer wants. An attacker can trick victims into going to a nearby ATM to withdraw cash, or push them into disclosing personal information, including bank account details, bank card details, or credentials.experts warn.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Volodymyr Krasnogolovy

I'm a journalist, cybersecurity specialist, content manager, copywriter, and photojournalist. With a deep passion for cybersecurity and a diverse skill set, I'm excited to share my expertise through this blog. From researching the latest threats to crafting engaging narratives and capturing powerful visuals, I strive to provide valuable insights and raise awareness about the importance of cybersecurity.

Leave a Reply