News

Letscall malware redirects victims’ calls to hackers’ call center

Security Parrot Editorial Team

Letscall Toolkit Used for Voice Phishing in South Korea

ThreatFabric experts recently studied the Letscall toolkit, which is used for voice phishing in South Korea. Last year, Kaspersky Lab discovered and described these attacks for the first time, and called them Fakecalls.
Once installed, this malware redirects victims’ calls to a call center controlled by hackers. There, specially trained operators, posing as real bank employees, learn confidential information from unsuspecting victims.
According to ThreatFabric, the hack group behind Letscall includes Android developers, designers, interface and backend developers, and call center operators specializing in voice attacks and social engineering.

What is Letscall?

Experts describe Letscall as a multifunctional spyware or RAT (Remote Access Trojan, “Remote Access Trojan”), which was created with great attention to video and audio communication with the victim, and is also focused on intercepting messages and phone calls. Location tracking is also an important target for these attackers.
It all starts with the creators of Letscall using a multi-stage attack to trick their victims into downloading malicious apps from a website that mimics the official Google Play Store. Apparently, black hat SEO and social engineering using spam are used for this.
As a result, the infection is carried out in several stages: first, the downloader application, downloaded from the fictitious Google Play Store, prepares the victim’s device for installing powerful spyware: it receives the necessary permissions, opens the phishing page, and installs the second-stage malware received from the command and control server.
On the aforementioned phishing page, which can imitate, for example, the sites of well-known aggregators of loan offers, the victim is persuaded to provide confidential information: details of an identity document, phone number, home address, salary, name of the employer company, and so on. This data will be automatically transferred to attackers.
As a result, hackers either use the received data to fill out a similar form on the real site (to apply for a loan), or the phishing page generally acts as a proxy between the victim and the page of this loan aggregator.

The Third Stage of the Attack

The second stage of the attack is the installation of a spyware application that helps the attackers steal data and also registers the infected device on the P2P VoIP network used to communicate with the victim via video or voice calls. In addition, this application prepares the launch of the third stage of the attack.
At the third stage, another application is installed on the victim’s device, which has the functionality to make phone calls. Attackers use it to redirect calls from the victim’s device to the call center of the hackers themselves.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?