In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit previously unpublished work to showcase their talents and bring their insights to a wider audience.
This in-depth and meticulous research into a cybercrime threat actor targeting thousands of clients of financial institutions makes a significant contribution to our understanding of the cybersecurity landscape and is the worthy winner of our challenge.
Neo_Net has been conducting an eCrime campaign targeting clients of prominent banks globally, with a focus on Spanish and Chilean banks, from June 2021 to April 2023.
Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims.
The campaign employs a multi-stage attack strategy, starting with targeted SMS phishing messages distributed across Spain and other countries, using Sender IDs (SIDs) to create an illusion of authenticity and mimicking reputable financial institutions to deceive victims.
Neo_Net has established and rented out a wide-ranging infrastructure, including phishing panels and Android trojans, to multiple affiliates, sold compromised victim data to third parties, and launched a successful Smishing-as-a-Service offering targeting various countries worldwide.
An extensive eCrime campaign has been observed targeting clients of prominent banks around the world from June 2021 to April 2023. Notably, the threat actors have predominantly focused on Spanish and Chilean banks, with 30 out of 50 targeted financial institutions headquartered in Spain or Chile, including major banks such as Santander, BBVA and CaixaBank. Banks targeted in other regions include Deutsche Bank, Crédit Agricole and ING. A complete list can be found in Appendix A at the end of this post.
Despite employing relatively unsophisticated tools, the threat actors have achieved a high success rate by tailoring their infrastructure to their specific targets. The campaign has resulted in the theft of over 350,000 EUR from victims’ bank accounts, along with the compromise of a significant amount of Personally Identifiable Information (PII), including telephone numbers, national identity numbers, and names from thousands of victims.
The mastermind behind this operation, known as Neo_Net, has established and rented out a wide-ranging infrastructure, including phishing panels, Smishing software, and Android trojans to multiple affiliates, sold compromised victim data to interested third parties, and has even launched a successful Smishing-as-a-Service offering that targets various countries worldwide. This report will provide a detailed overview of the campaign and delve into the background of Neo_Net, shedding light on his operations over the years.
Fig 1: Countries targeted by Neo_Net
eCrime Campaign against Financial Institutions
The campaign employed a sophisticated multi-stage attack strategy that commenced with targeted SMS phishing messages distributed across Spain using Neo_Net’s proprietary service, Ankarex. These messages leveraged Sender IDs (SIDs) to create an illusion of authenticity, mimicking reputable financial institutions in an attempt to deceive the victims.
Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel
The SMS messages employed various scare tactics, such as claiming that the victim’s account had been accessed by an unauthorized device or that their card had been temporarily limited due to security concerns. The messages also contained a hyperlink to the threat actor’s phishing page.
The phishing pages were meticulously set up using Neo_Net’s panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners. These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade:
Fig 3: BBVA and Santander phishing pages
Upon submission of their credentials, the victims’ information was surreptitiously exfiltrated to a designated Telegram chat via the Telegram Bot API, granting the threat actors unrestricted access to the stolen data, including the victims’ IP addresses and user agents.
Fig 4: Neo_Net’s affiliates discussing captured credentials and the corresponding bank account
Subsequently, the threat actors employed various techniques to circumvent the Multi-Factor Authentication (MFA) mechanisms commonly employed by banking applications. One such approach involved coaxing victims into installing a purported security application for their bank account on their Android devices.
Fig 5: Android application impersonating ING
However, this application served no legitimate security purpose and merely requested permissions to send and view SMS messages.
Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button
In reality, these Android trojans functioned as modified versions of the publicly available Android SMS spyware known as SMS Eye. Some threat actors further obfuscated the trojan using public packers to evade detection by anti-malware solutions. These Android trojans covertly exfiltrated incoming SMS messages to a distinct dedicated Telegram chat.
Fig 7: Telegram messages showing exfiltrated BBVA OTPs
The exfiltrated messages could then be utilized to bypass MFA on the targeted accounts by capturing One-Time Passwords (OTPs). Additionally, the threat actors were also observed employing direct phone calls to victims, possibly to impersonate bank representatives and deceive victims into installing the Android spyware or divulging OTPs.
The threat actors employed this method to target clients of several prominent banks around the world.
The funds illicitly acquired from victims during the course of the year-long operation amounted to a minimum of 350,000 EUR. However, it is probable that the actual sum is significantly higher, as older operations and transactions that do not involve SMS confirmation messages may not be fully accounted for due to limited visibility.
Neo_Net, the prominent actor responsible for the global cybercrime campaign, has been active in the cybersecurity landscape at least since early 2021. He maintains a public GitHub profile under the name “notsafety” and a Telegram account that showcases his work and identifies him as the founder of Ankarex, a Smishing-as-a-Service platform.
Fig 8: Neo_Net’s Telegram profile
Through his contributions on Telegram, Neo_Net has been linked to the “macosfera.com” forum, a Spanish-language IT forum. Email addresses registered with the forum’s domain were found in relation to several phishing panels created by Neo_Net, targeting Spanish banks and other institutions. These email addresses were used as usernames for the panels, suggesting that Neo_Net may have collaborated with individuals from this forum to set up his infrastructure. The phishing panels also clearly indicate Neo_Net as the creator, with his signature on top of the php files.
Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)
Neo_Net’s main creation is the Ankarex Smishing-as-a-Service platform, which has been active since at least May 2022. The Ankarex News Channel on Telegram, which advertises the service, currently has 1700 subscribers and regularly posts updates about the software, as well as limited offers and giveaways.
Fig 10: Halloween offer for 15% extra funds when recharging the account
The service itself is accessible at ankarex[.]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers. Ankarex currently targets 9 countries but has historically operated in additional regions.
Fig 11: Ankarex target countries and prices list
In addition to the Smishing service, Neo_Net has also offered leads, including victims’ names, email addresses, IBANs, and phone numbers for sale on the Ankarex Channel. He has also advertised his Android SMS spyware service to selected members. Notably, every channel created to exfiltrate the captured SMS messages has Neo_Net listed as an administrator, and several package names of the Android trojans allude to their creator with names such as com.neonet.app.reader. It is likely that Neo_Net rented his infrastructure to affiliates, some of whom have been observed working with him on multiple unique campaigns, allowing them to conduct phishing and funds transfers independently.
Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns
Throughout his year-long operation, Neo_Net has been traced back to several unique IP addresses, indicating that he currently resides in Mexico. Neo_Net primarily operates in Spanish-speaking countries and communicates predominantly in Spanish with his affiliates. Communication in the Ankarex channel is almost exclusively done in Spanish.
However, Neo_Net has also been observed collaborating with non-Spanish speakers, including another cybercriminal identified by the Telegram handle devilteam666. This particular operation involved the use of Google Ads targeting crypto wallet owners, and devilteam666 continues to offer malicious Google Ads services on his Telegram channel.
Despite employing mostly unsophisticated tools and techniques, such as simple SMS spyware and phishing panels, Neo_Net and his affiliates have managed to steal hundreds of thousands of euros and compromise the personally identifiable information (PII) of thousands of victims worldwide. The success of their campaigns can be attributed to the highly targeted nature of their operations, often focusing on a single bank, and copying their communications to impersonate bank agents. Furthermore, due to the simplicity of SMS spyware, it can be difficult to detect, as it only requires permission to send and view SMS messages.
Neo_Net has also been observed reusing compromised PII for further profit. A significant amount of eCrime against mobile users in Spain over the past two years can be directly traced back to Neo_Net’s operation, including his phishing panels, Smishing-as-a-Service platform, and Android trojans.
These campaigns highlight that while Multi-Factor Authentication is robust, it can be circumvented if it relies on SMS, and that physical tokens or external applications would provide better protection in such cases.
Want to read more posts from the VX-Underground/SentinelOne Malware Research Challenge? Click here.
Special thanks go to @malwrhunterteam who posted about several samples used in this campaign on his Twitter account.
Appendix A: Targeted Financial Institutions
Spain: Santander, BBVA, CaixaBank, Sabadell, ING España, Unicaja, Kutxabank, Bankinter, Abanca, Laboral Kutxa, Ibercaja, BancaMarch, CajaSur, OpenBank, Grupo Caja Rural, Cajalmendralejo, MoneyGo, Cecabank, Cetelem, Colonya, Self Bank, Banca Pueyo
France: Crédit Agricole, Caisse d’Epargne, La Banque postale, Boursorama, Banque de Bretagne
Greece: National Bank of Greece
Germany: Sparkasse, Deutsche Bank, Commerzbank
United Kingdom: Santander UK
Austria: BAWAG P.S.K.
Poland: PKO Bank Polski
Chile: BancoEstado, Scotiabank (Cencosud Scotiabank), Santander (officebanking), Banco Ripley, Banco de Chile, Banco Falabella, Banco de Crédito e Inversiones, Itaú CorpBanca
Venezuela: Banco de Venezuela
Peru: BBVA Peru
Ecuador: Banco Pichincha
USA: Prosperity Bank, Greater Nevada Credit Union
Indicators of Compromise
APK SHA1 Hashes
Main Activity Name
Grupo Caja Rural
Grupo Caja Rural
Grupo Caja Rural
Appendix C: MITRE ATT&CK Tags
Obfuscated Files or Information: Software Packing
Some APK files are packed and drop the unpacked dex file once executed
Virtualization/Sandbox Evasion: System Checks
Some APK files have been modified and initially check for common sandbox names before unpacking
System Information Discovery
The Sms Eye trojan collects the brand and model of the infected phone
Protected User Data: SMS Messages
The Sms Eye trojan collects incoming SMS messages
Application Layer Protocol: Web Protocols
The Sms Eye trojan exfiltrates SMS messages over HTTPS
Web Service: One-Way Communication
The Sms Eye trojan uses the Telegram Bot API to exfiltrate SMS messages
Encrypted Channel: Asymmetric Cryptography
The C2 channel is encrypted by TLS
Exfiltration Over C2 Channel
The SMS messages are exfiltrated over the C2 channel