Recently researchers released a warning about a new vishing technique that being used in South Korea. This new technique has been dubbed “lastcall”. Lastcall is a multi-step attack profile that involves the use of malware in an attacker-controlled imitation of the Google Play Store. If the target downloads the malware, things go quickly south as the malware redirects calls to the attacker’s phone operators. The phone operators are trained to imitate banking employees. These employees then extract information which can be used for follow-on financial fraud.
The Lastcall malware leverages a number of sophisticated tactics to carry out their operations. Some of these tactics include leveraging STUN (Session Traversal Utilities for NAT), TURN (Traversal Using Relays around NAT). These are combined with VoIP and WebRTC to maintain high-quality communication with the target and to bypass firewall restrictions. The attackers have even been seen leveraging Google’s own STUN servers as part of their attacks. The multi-phase payload with advanced evasion techniques including obfuscation (SecShell) complex naming structures and corrupted manifests to bypass security only add to the fun.
Lastcall does not just reroute calls though, the researchers at ThreatFabirc also observed capabilities to allow attackers to add, remove, edit contacts, and modify call filters to determine which calls should be intercepted by their call center and which should be ignored (allowing for normal operation). The Lastcall malware also incorporates programed calls with messages to add to the deception. Unlike many other groups, Lastcall seems to utilize micro-loans in the victim’s name as part of their revenue stream. They use the data gained from the victim, take out the loan and then assure the victim that any activity is normal. The amounts are small enough that they might not trigger investigations by financial institutions.
These tactics show a particularly sophisticated group and while they might only be targeting South Korea, they could expand their area of operations at any time. The fact that they have been able to develop such a sophisticated tactic and workflow for their organization shows a deep understanding of how these systems work. Lastcall highlights the fact that attackers are typically more skilled than the groups trying to stop them. Lastcall should also be an eyeopener for organizations that are still not protecting their employees’ personal devices like phones. If your organization has not developed a well-formed social engineering defense training system and/or does not incorporate social engineering attacks into your existing security testing, you should do so now. A bit or proactive policy writing and testing can go a very long way to minimizing this particular attack vector.
