Neo_Net | The Kingpin of Spanish eCrime

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit previously unpublished work to showcase their talents and bring their insights to a wider audience.

Today’s post marks the start of a series highlighting the best entries, beginning with the winner from Pol Thill, Cyber Threat Intelligence Analyst at QuoIntelligence.

This in-depth and meticulous research into a cybercrime threat actor targeting thousands of clients of financial institutions makes a significant contribution to our understanding of the cybersecurity landscape and is the worthy winner of our challenge.

Executive Summary

  • Neo_Net has been conducting an eCrime campaign targeting clients of prominent banks globally, with a focus on Spanish and Chilean banks, from June 2021 to April 2023.
  • Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims.
  • The campaign employs a multi-stage attack strategy, starting with targeted SMS phishing messages distributed across Spain and other countries, using Sender IDs (SIDs) to create an illusion of authenticity and mimicking reputable financial institutions to deceive victims.
  • Neo_Net has established and rented out a wide-ranging infrastructure, including phishing panels and Android trojans, to multiple affiliates, sold compromised victim data to third parties, and launched a successful Smishing-as-a-Service offering targeting various countries worldwide.

Introduction

An extensive eCrime campaign has been observed targeting clients of prominent banks around the world from June 2021 to April 2023. Notably, the threat actors have predominantly focused on Spanish and Chilean banks, with 30 out of 50 targeted financial institutions headquartered in Spain or Chile, including major banks such as Santander, BBVA and CaixaBank. Banks targeted in other regions include Deutsche Bank, Crédit Agricole and ING. A complete list can be found in Appendix A at the end of this post.

Despite employing relatively unsophisticated tools, the threat actors have achieved a high success rate by tailoring their infrastructure to their specific targets. The campaign has resulted in the theft of over 350,000 EUR from victims’ bank accounts, along with the compromise of a significant amount of Personally Identifiable Information (PII), including telephone numbers, national identity numbers, and names from thousands of victims.

The mastermind behind this operation, known as Neo_Net, has established and rented out a wide-ranging infrastructure, including phishing panels, Smishing software, and Android trojans to multiple affiliates, sold compromised victim data to interested third parties, and has even launched a successful Smishing-as-a-Service offering that targets various countries worldwide. This report will provide a detailed overview of the campaign and delve into the background of Neo_Net, shedding light on his operations over the years.

Fig 1: Countries targeted by Neo_Net
Fig 1: Countries targeted by Neo_Net

eCrime Campaign against Financial Institutions

The campaign employed a sophisticated multi-stage attack strategy that commenced with targeted SMS phishing messages distributed across Spain using Neo_Net’s proprietary service, Ankarex. These messages leveraged Sender IDs (SIDs) to create an illusion of authenticity, mimicking reputable financial institutions in an attempt to deceive the victims.

Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel
Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel

The SMS messages employed various scare tactics, such as claiming that the victim’s account had been accessed by an unauthorized device or that their card had been temporarily limited due to security concerns. The messages also contained a hyperlink to the threat actor’s phishing page.

The phishing pages were meticulously set up using Neo_Net’s panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners. These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade:

Fig 3: BBVA and Santander phishing pages
Fig 3: BBVA and Santander phishing pages

Upon submission of their credentials, the victims’ information was surreptitiously exfiltrated to a designated Telegram chat via the Telegram Bot API, granting the threat actors unrestricted access to the stolen data, including the victims’ IP addresses and user agents.

Neo_Net’s affiliates discussing captured credentials and the corresponding bank account
Fig 4: Neo_Net’s affiliates discussing captured credentials and the corresponding bank account

Subsequently, the threat actors employed various techniques to circumvent the Multi-Factor Authentication (MFA) mechanisms commonly employed by banking applications. One such approach involved coaxing victims into installing a purported security application for their bank account on their Android devices.

Fig 5: Android application impersonating ING
Fig 5: Android application impersonating ING

However, this application served no legitimate security purpose and merely requested permissions to send and view SMS messages.

Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button
Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button

In reality, these Android trojans functioned as modified versions of the publicly available Android SMS spyware known as SMS Eye. Some threat actors further obfuscated the trojan using public packers to evade detection by anti-malware solutions. These Android trojans covertly exfiltrated incoming SMS messages to a distinct dedicated Telegram chat.

Fig 7: Telegram messages showing exfiltrated BBVA OTPs
Fig 7: Telegram messages showing exfiltrated BBVA OTPs

The exfiltrated messages could then be utilized to bypass MFA on the targeted accounts by capturing One-Time Passwords (OTPs). Additionally, the threat actors were also observed employing direct phone calls to victims, possibly to impersonate bank representatives and deceive victims into installing the Android spyware or divulging OTPs.

The threat actors employed this method to target clients of several prominent banks around the world.

The funds illicitly acquired from victims during the course of the year-long operation amounted to a minimum of 350,000 EUR. However, it is probable that the actual sum is significantly higher, as older operations and transactions that do not involve SMS confirmation messages may not be fully accounted for due to limited visibility.

Neo_Net

Neo_Net, the prominent actor responsible for the global cybercrime campaign, has been active in the cybersecurity landscape at least since early 2021. He maintains a public GitHub profile under the name “notsafety” and a Telegram account that showcases his work and identifies him as the founder of Ankarex, a Smishing-as-a-Service platform.

Fig 8: Neo_Net’s Telegram profile
Fig 8: Neo_Net’s Telegram profile

Through his contributions on Telegram, Neo_Net has been linked to the “macosfera.com” forum, a Spanish-language IT forum. Email addresses registered with the forum’s domain were found in relation to several phishing panels created by Neo_Net, targeting Spanish banks and other institutions. These email addresses were used as usernames for the panels, suggesting that Neo_Net may have collaborated with individuals from this forum to set up his infrastructure. The phishing panels also clearly indicate Neo_Net as the creator, with his signature on top of the php files.

Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)
Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)

Ankarex

Neo_Net’s main creation is the Ankarex Smishing-as-a-Service platform, which has been active since at least May 2022. The Ankarex News Channel on Telegram, which advertises the service, currently has 1700 subscribers and regularly posts updates about the software, as well as limited offers and giveaways.

Fig 10: Halloween offer for 15% extra funds when recharging the account
Fig 10: Halloween offer for 15% extra funds when recharging the account

The service itself is accessible at ankarex[.]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers. Ankarex currently targets 9 countries but has historically operated in additional regions.

Fig 11: Ankarex target countries and prices list
Fig 11: Ankarex target countries and prices list

In addition to the Smishing service, Neo_Net has also offered leads, including victims’ names, email addresses, IBANs, and phone numbers for sale on the Ankarex Channel. He has also advertised his Android SMS spyware service to selected members. Notably, every channel created to exfiltrate the captured SMS messages has Neo_Net listed as an administrator, and several package names of the Android trojans allude to their creator with names such as com.neonet.app.reader. It is likely that Neo_Net rented his infrastructure to affiliates, some of whom have been observed working with him on multiple unique campaigns, allowing them to conduct phishing and funds transfers independently.

Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns
Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns

Throughout his year-long operation, Neo_Net has been traced back to several unique IP addresses, indicating that he currently resides in Mexico. Neo_Net primarily operates in Spanish-speaking countries and communicates predominantly in Spanish with his affiliates. Communication in the Ankarex channel is almost exclusively done in Spanish.

However, Neo_Net has also been observed collaborating with non-Spanish speakers, including another cybercriminal identified by the Telegram handle devilteam666. This particular operation involved the use of Google Ads targeting crypto wallet owners, and devilteam666 continues to offer malicious Google Ads services on his Telegram channel.

Conclusion

Despite employing mostly unsophisticated tools and techniques, such as simple SMS spyware and phishing panels, Neo_Net and his affiliates have managed to steal hundreds of thousands of euros and compromise the personally identifiable information (PII) of thousands of victims worldwide. The success of their campaigns can be attributed to the highly targeted nature of their operations, often focusing on a single bank, and copying their communications to impersonate bank agents. Furthermore, due to the simplicity of SMS spyware, it can be difficult to detect, as it only requires permission to send and view SMS messages.

Neo_Net has also been observed reusing compromised PII for further profit. A significant amount of eCrime against mobile users in Spain over the past two years can be directly traced back to Neo_Net’s operation, including his phishing panels, Smishing-as-a-Service platform, and Android trojans.

These campaigns highlight that while Multi-Factor Authentication is robust, it can be circumvented if it relies on SMS, and that physical tokens or external applications would provide better protection in such cases.

Want to read more posts from the VX-Underground/SentinelOne Malware Research Challenge? Click here.

Acknowledgments

Special thanks go to @malwrhunterteam who posted about several samples used in this campaign on his Twitter account.

Appendix A: Targeted Financial Institutions

  • Spain: Santander, BBVA, CaixaBank, Sabadell, ING España, Unicaja, Kutxabank, Bankinter, Abanca, Laboral Kutxa, Ibercaja, BancaMarch, CajaSur, OpenBank, Grupo Caja Rural, Cajalmendralejo, MoneyGo, Cecabank, Cetelem, Colonya, Self Bank, Banca Pueyo
  • France: Crédit Agricole, Caisse d’Epargne, La Banque postale, Boursorama, Banque de Bretagne
  • Greece: National Bank of Greece
  • Germany: Sparkasse, Deutsche Bank, Commerzbank
  • United Kingdom: Santander UK
  • Austria: BAWAG P.S.K.
  • Netherlands: ING
  • Poland: PKO Bank Polski
  • Chile: BancoEstado, Scotiabank (Cencosud Scotiabank), Santander (officebanking), Banco Ripley, Banco de Chile, Banco Falabella, Banco de Crédito e Inversiones, Itaú CorpBanca
  • Colombia: Bancolombia
  • Venezuela: Banco de Venezuela
  • Peru: BBVA Peru
  • Ecuador: Banco Pichincha
  • Panama: Zinli
  • USA: Prosperity Bank, Greater Nevada Credit Union
  • Australia: CommBank

Appendix B

Indicators of Compromise

APK SHA1 Hashes Main Activity Name Impersonated Institution
de8929c1a0273d0ed0dc3fc55058e0cb19486b3c com.neonet.app.reader.MainActivity BBVA
b344fe1bbb477713016d41d996c0772a308a5146 com.neonet.app.reader.MainActivity Laboral Kutxa
8a099af61f1fa692f45538750d42aab640167fd2 com.neonet.app.reader.MainActivity Correos
ab14161e243d478dac7a83086ed4839f8ad7ded8 com.neonet.app.reader.MainActivity BBVA
ded2655512de7d3468f63f9487e16a0bd17818ff com.neonet.app.reader.MainActivity CaixaBank
a5208de82def52b4019a6d3a8da9e14a13bc2c43 com.neonet.app.reader.MainActivity CaixaBank
21112c1955d131fa6cab617a3d7265acfab783c2 com.neonet.app.reader.MainActivity Openbank
6ea53a65fe3a1551988c6134db808e622787e7f9 com.neonet.app.reader.MainActivity Unicaja
62236a501e11d5fbfe411d841caf5f2253c150b8 com.neonet.app.reader.MainActivity BBVA
7f0c3fdbfcdfc24c2da8aa3c52aa13f9b9cdda84 com.neonet.app.reader.MainActivity BBVA
f918a6ecba56df298ae635a6a0f008607b0420b9 com.neonet.app.reader.MainActivity Santander
ffbcdf915916595b96f627df410722cee5b83f13 com.neonet.app.reader.MainActivity BBVA
7b4ab7b2ead7e004c0d93fe916af39c156e0bc61 com.neonet.app.reader.MainActivity CajaSur
34d0faea99d94d3923d0b9e36ef9e0c48158e7a0 com.neonet.app.reader.MainActivity BBVA
e6c485551d4f209a0b7b1fa9aa78b7efb51be49b com.neonet.app.reader.MainActivity BBVA
1df3ed2e2957efbd1d87aac0c25a3577318b8e2a com.neonet.app.reader.MainActivity BBVA
6a907b8e5580a5067d9fb47ef21826f164f68f3f com.neonet.app.reader.MainActivity Grupo Caja Rural
5d1c7ff3d16ec770cf23a4d82a91358b9142d21a com.neonet.app.reader.MainActivity Grupo Caja Rural
86ad0123fa20b7c0efb6fe8afaa6a756a86c9836 com.neonet.app.reader.MainActivity Grupo Caja Rural
14a36f18a45348ad9efe43b20d049f3345735163 com.neonet.app.reader.MainActivity Cajalmendralejo
b506503bb71f411bb34ec8124ed26ae27a4834b9 com.neonet.app.reader.MainActivity BBVA
afe84fa17373ec187781f72c330dfb7bb3a42483 com.cannav.cuasimodo.jumper.actividades BBVA
445468cd5c298f0393f19b92b802cfa0f76c32d4 com.cannav.cuasimodo.jumper.actividades BBVA
8491ff15ad27b90786585b06f81a3938d5a61b39 com.cannav.cuasimodo.jumper.actividades BBVA
2714e0744ad788142990696f856c5ffbc7173cf4 com.cannav.cuasimodo.jumper.actividades BBVA
1ce0afe5e09b14f8aee6715a768329660e95121e com.cannav.cuasimodo.jumper.actividades BBVA
96a3600055c63576be9f7dc97c5b25f1272edd2b com.cannav.cuasimodo.jumper.actividades BBVA
9954ae7d31ea65cd6b8cbdb396e7b99b0cf833f4 com.cannav.cuasimodo.jumper.actividades BBVA
07159f46a8adde95f541a123f2dda6c49035aad1 com.cannav.cuasimodo.jumper.actividades BBVA
ab19a95ef3adcb83be76b95eb7e7c557812ad2f4 com.cannav.cuasimodo.jumper.actividades BBVA
db8eeab4ab2e2e74a34c47ad297039485ff75f22 com.cannav.cuasimodo.jumper.actividades BBVA
dbf0cec18caabeb11387f7e6d14df54c808e441d com.cannav.cuasimodo.jumper.actividades BBVA
69d38eed5dc89a7b54036cc7dcf7b96fd000eb92 com.cannav.cuasimodo.jumper.actividades BBVA
c38107addc00e2a2f5dcb6ea0cbce40400c23b49 com.cannav.cuasimodo.jumper.actividades BBVA
279048e07c25fd75c4cef7c64d1ae741e178b35b com.uklapon.mafin.chinpiling.actividades Bankinter
ef8c5d639390d9ba138ad9c2057524ff6e1398de BBVA
e7c2d0c80125909d85913dfb941bdc373d677326 ING
145bd67f94698cc5611484f46505b3dc825bd6cd BancoEstado

Phishing Domains

bbva.info-cliente[.]net
santander.esentregas[.]ga
bbva.esentregas[.]ga
correos.esentregas[.]ga

Appendix C: MITRE ATT&CK Tags

ID Technique Explanation
T1406.002 Obfuscated Files or Information: Software Packing Some APK files are packed and drop the unpacked dex file once executed
T1633.001 Virtualization/Sandbox Evasion: System Checks Some APK files have been modified and initially check for common sandbox names before unpacking
T1426 System Information Discovery The Sms Eye trojan collects the brand and model of the infected phone
T1636.004 Protected User Data: SMS Messages The Sms Eye trojan collects incoming SMS messages
T1437.001 Application Layer Protocol: Web Protocols The Sms Eye trojan exfiltrates SMS messages over HTTPS
T1481.003 Web Service: One-Way Communication The Sms Eye trojan uses the Telegram Bot API to exfiltrate SMS messages
T1521.002 Encrypted Channel: Asymmetric Cryptography The C2 channel is encrypted by TLS
T1646 Exfiltration Over C2 Channel The SMS messages are exfiltrated over the C2 channel