Cyber Security Threat Summary:
“An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground. ‘Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims,’ Thill said” (The Hacker News, 2023).

Neo_Net is known for selling phishing panels, victim data to third parties, and a smishing-as-a-service called Ankarex that is designed to target a number of countries across the globe. For its part, Ankarex has been around since May 2022 and is promoted on a Telegram channel with approximately 1,700 subscribers. The service can be accessed using via a domain (ankarex[.]net) set up by the actors. Once users register, they can upload funds using cryptocurrency transfers and launch their own dedicated campaigns.

Security Officer Comments:
Neo_Net has targeted several major banks including Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING. To infect potential victims, the group relies on SMS phishing, where the actors will employ various tactics to convince recipients to click on bogus landing pages. These pages are created with the help of Neo_Net’s panels and closely resemble legitimate banking applications. For their part, the pages are designed to harvest banking credentials which are further exfiltrated via a Telegram bot and used by the actors to log in to victims’ accounts. Given that banks will typically offer customers two-factor authentication, the threat actors have also been observed tricking victims into installing rogue Android applications masquerading as security software. Once installed, the rogue app will capture two-factor authentication codes sent by the victim’s bank, enabling the actors to log in successfully.

Suggested Correction(s):
Avoid clicking on links in messages that come from unknown senders as this is a typical infection vector employed by threat actors. Users should also be careful when downloading software, especially from third-party sites. Before installing software, it should be scanned via anti-virus solutions for malicious executables.

IOCs:
https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/

Link(s):
https://thehackernews.com/2023/07/mexico-based-hacker-targets-global.html