Letscall – new sophisticated Vishing toolset

MITRE Techniques

• [T1566.002] Phishing – The attacker uses spearphishing links via a decoy page that resembles Google Play Store to lure victims. Quote: “The victim visits a specially crafted phishing web page that looks like Google Play Store.”
• [T1036] Masquerading – phishing pages mimic legitimate banking/loan platforms to appear trustworthy. Quote: “These pages mimic Banksalad (Loan comparison aggregator), Finda (loan comparison aggregator) and KICS (Korea Information System of Criminal-Justice Services).”
• [T1105] Ingress Tool Transfer – the downloader downloads and installs the second-stage malware from the control server. Quote: “The first stage (we will call it the downloader) runs preparations on the device, obtains the necessary permissions, opens the phishing web page, and installs the second stage malware, which will be downloaded from the control server.”
• [T1027] Obfuscated/Compressed Files and Information – APKs contain obfuscated/encoded data (long path names, XOR-encrypted DEX files) to hide code; manifest corruption and code packing are used. Quote: “The core DEX file does not contain the code that is listed inside the manifest… contains obfuscated code… and one-byte XOR encryption.”
• [T1548.003] Abuse of Accessibility Features – The third-stage delivery uses abused accessibility services to inject interface elements into Chrome and drop the third-stage malware. Quote: “By abusing the accessibility services, it will push the necessary interface elements inside of Chrome and deliver the third-stage malware to the victim.”
• [T1071.001] Web Protocols – The malware uses WebSocket-based communications and P2P channels (and WebRTC) for C2/VOIP, including “web sockets” commands. Quote: “Such functionality is needed to perform P2P voice/video connection… and the same channel is also used for C2 communication with many different commands. The malware also supports communication using web sockets.”