www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
URL:
https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/
Submission: On July 05 via api from TR — Scanned from DE
Submission: On July 05 via api from TR — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
</span>
<span class="dark">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="473584733">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Don’t miss OneCon23! SentinelOne’s annual user conference. Presale available
now. Register Now
Don’t miss OneCon23! SentinelOne’s annual user conference. Presale available
now.
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
blog
* Platform
* Platform Overview
* Singularity XDR Platform Welcome to Native
and Open XDR
* XDR Ingestion One Home for All
Security Data
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of
XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
* Singularity Mobile Mobile Threat Defense
* Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
* Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
* Partners
* Our Network
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
* Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
* About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
blog
Back
* Platform
* Platform Overview
* Singularity XDR Platform Welcome to Native
and Open XDR
* XDR Ingestion One Home for All
Security Data
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of
XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
* Singularity Mobile Mobile Threat Defense
* Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
* Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
* Partners
* Our Network
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
* Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
* About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
Get a Demo
* 1-855-868-3733
* Contact
* Cybersecurity Blog
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
NEO_NET | THE KINGPIN OF SPANISH ECRIME
July 3, 2023
by Pol Thill
PDF
In partnership with vx-underground, SentinelOne recently ran its first Malware
Research Challenge, in which we asked researchers across the cybersecurity
community to submit previously unpublished work to showcase their talents and
bring their insights to a wider audience.
Today’s post marks the start of a series highlighting the best entries,
beginning with the winner from Pol Thill.
This in-depth and meticulous research into a cybercrime threat actor targeting
thousands of clients of financial institutions makes a significant contribution
to our understanding of the cybersecurity landscape and is the worthy winner of
our challenge.
EXECUTIVE SUMMARY
* Neo_Net has been conducting an eCrime campaign targeting clients of prominent
banks globally, with a focus on Spanish and Chilean banks, from June 2021 to
April 2023.
* Despite using relatively unsophisticated tools, Neo_Net has achieved a high
success rate by tailoring their infrastructure to specific targets, resulting
in the theft of over 350,000 EUR from victims’ bank accounts and compromising
Personally Identifiable Information (PII) of thousands of victims.
* The campaign employs a multi-stage attack strategy, starting with targeted
SMS phishing messages distributed across Spain and other countries, using
Sender IDs (SIDs) to create an illusion of authenticity and mimicking
reputable financial institutions to deceive victims.
* Neo_Net has established and rented out a wide-ranging infrastructure,
including phishing panels and Android trojans, to multiple affiliates, sold
compromised victim data to third parties, and launched a successful
Smishing-as-a-Service offering targeting various countries worldwide.
INTRODUCTION
An extensive eCrime campaign has been observed targeting clients of prominent
banks around the world from June 2021 to April 2023. Notably, the threat actors
have predominantly focused on Spanish and Chilean banks, with 30 out of 50
targeted financial institutions headquartered in Spain or Chile, including major
banks such as Santander, BBVA and CaixaBank. Banks targeted in other regions
include Deutsche Bank, Crédit Agricole and ING. A complete list can be found in
Appendix A at the end of this post.
Despite employing relatively unsophisticated tools, the threat actors have
achieved a high success rate by tailoring their infrastructure to their specific
targets. The campaign has resulted in the theft of over 350,000 EUR from
victims’ bank accounts, along with the compromise of a significant amount of
Personally Identifiable Information (PII), including telephone numbers, national
identity numbers, and names from thousands of victims.
The mastermind behind this operation, known as Neo_Net, has established and
rented out a wide-ranging infrastructure, including phishing panels, Smishing
software, and Android trojans to multiple affiliates, sold compromised victim
data to interested third parties, and has even launched a successful
Smishing-as-a-Service offering that targets various countries worldwide. This
report will provide a detailed overview of the campaign and delve into the
background of Neo_Net, shedding light on his operations over the years.
Fig 1: Countries targeted by Neo_Net
ECRIME CAMPAIGN AGAINST FINANCIAL INSTITUTIONS
The campaign employed a sophisticated multi-stage attack strategy that commenced
with targeted SMS phishing messages distributed across Spain using Neo_Net’s
proprietary service, Ankarex. These messages leveraged Sender IDs (SIDs) to
create an illusion of authenticity, mimicking reputable financial institutions
in an attempt to deceive the victims.
Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel
The SMS messages employed various scare tactics, such as claiming that the
victim’s account had been accessed by an unauthorized device or that their card
had been temporarily limited due to security concerns. The messages also
contained a hyperlink to the threat actor’s phishing page.
The phishing pages were meticulously set up using Neo_Net’s panels, PRIV8, and
implemented multiple defense measures, including blocking requests from
non-mobile user agents and concealing the pages from bots and network scanners.
These pages were designed to closely resemble genuine banking applications,
complete with animations to create a convincing façade:
Fig 3: BBVA and Santander phishing pages
Upon submission of their credentials, the victims’ information was
surreptitiously exfiltrated to a designated Telegram chat via the Telegram Bot
API, granting the threat actors unrestricted access to the stolen data,
including the victims’ IP addresses and user agents.
Fig 4: Neo_Net’s affiliates discussing captured credentials and the
corresponding bank account
Subsequently, the threat actors employed various techniques to circumvent the
Multi-Factor Authentication (MFA) mechanisms commonly employed by banking
applications. One such approach involved coaxing victims into installing a
purported security application for their bank account on their Android devices.
Fig 5: Android application impersonating ING
However, this application served no legitimate security purpose and merely
requested permissions to send and view SMS messages.
Fig 6: BBVA application showing the SMS permission request after victim clicks
on “Actualizar” button
In reality, these Android trojans functioned as modified versions of the
publicly available Android SMS spyware known as SMS Eye. Some threat actors
further obfuscated the trojan using public packers to evade detection by
anti-malware solutions. These Android trojans covertly exfiltrated incoming SMS
messages to a distinct dedicated Telegram chat.
Fig 7: Telegram messages showing exfiltrated BBVA OTPs
The exfiltrated messages could then be utilized to bypass MFA on the targeted
accounts by capturing One-Time Passwords (OTPs). Additionally, the threat actors
were also observed employing direct phone calls to victims, possibly to
impersonate bank representatives and deceive victims into installing the Android
spyware or divulging OTPs.
The threat actors employed this method to target clients of several prominent
banks around the world.
The funds illicitly acquired from victims during the course of the year-long
operation amounted to a minimum of 350,000 EUR. However, it is probable that the
actual sum is significantly higher, as older operations and transactions that do
not involve SMS confirmation messages may not be fully accounted for due to
limited visibility.
NEO_NET
Neo_Net, the prominent actor responsible for the global cybercrime campaign, has
been active in the cybersecurity landscape at least since early 2021. He
maintains a public GitHub profile under the name “notsafety” and a Telegram
account that showcases his work and identifies him as the founder of Ankarex, a
Smishing-as-a-Service platform.
Fig 8: Neo_Net’s Telegram profile
Through his contributions on Telegram, Neo_Net has been linked to the
“macosfera.com” forum, a Spanish-language IT forum. Email addresses registered
with the forum’s domain were found in relation to several phishing panels
created by Neo_Net, targeting Spanish banks and other institutions. These email
addresses were used as usernames for the panels, suggesting that Neo_Net may
have collaborated with individuals from this forum to set up his infrastructure.
The phishing panels also clearly indicate Neo_Net as the creator, with his
signature on top of the php files.
Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)
ANKAREX
Neo_Net’s main creation is the Ankarex Smishing-as-a-Service platform, which has
been active since at least May 2022. The Ankarex News Channel on Telegram, which
advertises the service, currently has 1700 subscribers and regularly posts
updates about the software, as well as limited offers and giveaways.
Fig 10: Halloween offer for 15% extra funds when recharging the account
The service itself is accessible at ankarex[.]net, and once registered, users
can upload funds using cryptocurrency transfers and launch their own Smishing
campaigns by specifying the SMS content and target phone numbers. Ankarex
currently targets 9 countries but has historically operated in additional
regions.
Fig 11: Ankarex target countries and prices list
In addition to the Smishing service, Neo_Net has also offered leads, including
victims’ names, email addresses, IBANs, and phone numbers for sale on the
Ankarex Channel. He has also advertised his Android SMS spyware service to
selected members. Notably, every channel created to exfiltrate the captured SMS
messages has Neo_Net listed as an administrator, and several package names of
the Android trojans allude to their creator with names such as
com.neonet.app.reader. It is likely that Neo_Net rented his infrastructure to
affiliates, some of whom have been observed working with him on multiple unique
campaigns, allowing them to conduct phishing and funds transfers independently.
Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable
OPSEC throughout his campaigns
Throughout his year-long operation, Neo_Net has been traced back to several
unique IP addresses, indicating that he currently resides in Mexico. Neo_Net
primarily operates in Spanish-speaking countries and communicates predominantly
in Spanish with his affiliates. Communication in the Ankarex channel is almost
exclusively done in Spanish.
However, Neo_Net has also been observed collaborating with non-Spanish speakers,
including another cybercriminal identified by the Telegram handle devilteam666.
This particular operation involved the use of Google Ads targeting crypto wallet
owners, and devilteam666 continues to offer malicious Google Ads services on his
Telegram channel.
CONCLUSION
Despite employing mostly unsophisticated tools and techniques, such as simple
SMS spyware and phishing panels, Neo_Net and his affiliates have managed to
steal hundreds of thousands of euros and compromise the personally identifiable
information (PII) of thousands of victims worldwide. The success of their
campaigns can be attributed to the highly targeted nature of their operations,
often focusing on a single bank, and copying their communications to impersonate
bank agents. Furthermore, due to the simplicity of SMS spyware, it can be
difficult to detect, as it only requires permission to send and view SMS
messages.
Neo_Net has also been observed reusing compromised PII for further profit. A
significant amount of eCrime against mobile users in Spain over the past two
years can be directly traced back to Neo_Net’s operation, including his phishing
panels, Smishing-as-a-Service platform, and Android trojans.
These campaigns highlight that while Multi-Factor Authentication is robust, it
can be circumvented if it relies on SMS, and that physical tokens or external
applications would provide better protection in such cases.
ACKNOWLEDGMENTS
Special thanks go to @malwrhunterteam who posted about several samples used in
this campaign on his Twitter account.
APPENDIX A: TARGETED FINANCIAL INSTITUTIONS
* Spain: Santander, BBVA, CaixaBank, Sabadell, ING España, Unicaja, Kutxabank,
Bankinter, Abanca, Laboral Kutxa, Ibercaja, BancaMarch, CajaSur, OpenBank,
Grupo Caja Rural, Cajalmendralejo, MoneyGo, Cecabank, Cetelem, Colonya, Self
Bank, Banca Pueyo
* France: Crédit Agricole, Caisse d’Epargne, La Banque postale, Boursorama,
Banque de Bretagne
* Greece: National Bank of Greece
* Germany: Sparkasse, Deutsche Bank, Commerzbank
* United Kingdom: Santander UK
* Austria: BAWAG P.S.K.
* Netherlands: ING
* Poland: PKO Bank Polski
* Chile: BancoEstado, Scotiabank (Cencosud Scotiabank), Santander
(officebanking), Banco Ripley, Banco de Chile, Banco Falabella, Banco de
Crédito e Inversiones, Itaú CorpBanca
* Colombia: Bancolombia
* Venezuela: Banco de Venezuela
* Peru: BBVA Peru
* Ecuador: Banco Pichincha
* Panama: Zinli
* USA: Prosperity Bank, Greater Nevada Credit Union
* Australia: CommBank
APPENDIX B
INDICATORS OF COMPROMISE
APK SHA1 Hashes Main Activity Name Impersonated Institution
de8929c1a0273d0ed0dc3fc55058e0cb19486b3c com.neonet.app.reader.MainActivity BBVA
b344fe1bbb477713016d41d996c0772a308a5146 com.neonet.app.reader.MainActivity
Laboral Kutxa 8a099af61f1fa692f45538750d42aab640167fd2
com.neonet.app.reader.MainActivity Correos
ab14161e243d478dac7a83086ed4839f8ad7ded8 com.neonet.app.reader.MainActivity BBVA
ded2655512de7d3468f63f9487e16a0bd17818ff com.neonet.app.reader.MainActivity
CaixaBank a5208de82def52b4019a6d3a8da9e14a13bc2c43
com.neonet.app.reader.MainActivity CaixaBank
21112c1955d131fa6cab617a3d7265acfab783c2 com.neonet.app.reader.MainActivity
Openbank 6ea53a65fe3a1551988c6134db808e622787e7f9
com.neonet.app.reader.MainActivity Unicaja
62236a501e11d5fbfe411d841caf5f2253c150b8 com.neonet.app.reader.MainActivity BBVA
7f0c3fdbfcdfc24c2da8aa3c52aa13f9b9cdda84 com.neonet.app.reader.MainActivity BBVA
f918a6ecba56df298ae635a6a0f008607b0420b9 com.neonet.app.reader.MainActivity
Santander ffbcdf915916595b96f627df410722cee5b83f13
com.neonet.app.reader.MainActivity BBVA 7b4ab7b2ead7e004c0d93fe916af39c156e0bc61
com.neonet.app.reader.MainActivity CajaSur
34d0faea99d94d3923d0b9e36ef9e0c48158e7a0 com.neonet.app.reader.MainActivity BBVA
e6c485551d4f209a0b7b1fa9aa78b7efb51be49b com.neonet.app.reader.MainActivity BBVA
1df3ed2e2957efbd1d87aac0c25a3577318b8e2a com.neonet.app.reader.MainActivity BBVA
6a907b8e5580a5067d9fb47ef21826f164f68f3f com.neonet.app.reader.MainActivity
Grupo Caja Rural 5d1c7ff3d16ec770cf23a4d82a91358b9142d21a
com.neonet.app.reader.MainActivity Grupo Caja Rural
86ad0123fa20b7c0efb6fe8afaa6a756a86c9836 com.neonet.app.reader.MainActivity
Grupo Caja Rural 14a36f18a45348ad9efe43b20d049f3345735163
com.neonet.app.reader.MainActivity Cajalmendralejo
b506503bb71f411bb34ec8124ed26ae27a4834b9 com.neonet.app.reader.MainActivity BBVA
afe84fa17373ec187781f72c330dfb7bb3a42483 com.cannav.cuasimodo.jumper.actividades
BBVA 445468cd5c298f0393f19b92b802cfa0f76c32d4
com.cannav.cuasimodo.jumper.actividades BBVA
8491ff15ad27b90786585b06f81a3938d5a61b39 com.cannav.cuasimodo.jumper.actividades
BBVA 2714e0744ad788142990696f856c5ffbc7173cf4
com.cannav.cuasimodo.jumper.actividades BBVA
1ce0afe5e09b14f8aee6715a768329660e95121e com.cannav.cuasimodo.jumper.actividades
BBVA 96a3600055c63576be9f7dc97c5b25f1272edd2b
com.cannav.cuasimodo.jumper.actividades BBVA
9954ae7d31ea65cd6b8cbdb396e7b99b0cf833f4 com.cannav.cuasimodo.jumper.actividades
BBVA 07159f46a8adde95f541a123f2dda6c49035aad1
com.cannav.cuasimodo.jumper.actividades BBVA
ab19a95ef3adcb83be76b95eb7e7c557812ad2f4 com.cannav.cuasimodo.jumper.actividades
BBVA db8eeab4ab2e2e74a34c47ad297039485ff75f22
com.cannav.cuasimodo.jumper.actividades BBVA
dbf0cec18caabeb11387f7e6d14df54c808e441d com.cannav.cuasimodo.jumper.actividades
BBVA 69d38eed5dc89a7b54036cc7dcf7b96fd000eb92
com.cannav.cuasimodo.jumper.actividades BBVA
c38107addc00e2a2f5dcb6ea0cbce40400c23b49 com.cannav.cuasimodo.jumper.actividades
BBVA 279048e07c25fd75c4cef7c64d1ae741e178b35b
com.uklapon.mafin.chinpiling.actividades Bankinter
ef8c5d639390d9ba138ad9c2057524ff6e1398de BBVA
e7c2d0c80125909d85913dfb941bdc373d677326 ING
145bd67f94698cc5611484f46505b3dc825bd6cd BancoEstado
PHISHING DOMAINS
bbva.info-cliente[.]net
santander.esentregas[.]ga
bbva.esentregas[.]ga
correos.esentregas[.]ga
APPENDIX C: MITRE ATT&CK TAGS
ID Technique Explanation T1406.002 Obfuscated Files or Information: Software
Packing Some APK files are packed and drop the unpacked dex file once executed
T1633.001 Virtualization/Sandbox Evasion: System Checks Some APK files have been
modified and initially check for common sandbox names before unpacking T1426
System Information Discovery The Sms Eye trojan collects the brand and model of
the infected phone T1636.004 Protected User Data: SMS Messages The Sms Eye
trojan collects incoming SMS messages T1437.001 Application Layer Protocol: Web
Protocols The Sms Eye trojan exfiltrates SMS messages over HTTPS T1481.003 Web
Service: One-Way Communication The Sms Eye trojan uses the Telegram Bot API to
exfiltrate SMS messages T1521.002 Encrypted Channel: Asymmetric Cryptography The
C2 channel is encrypted by TLS T1646 Exfiltration Over C2 Channel The SMS
messages are exfiltrated over the C2 channel
--------------------------------------------------------------------------------
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.
READ MORE ABOUT CYBER SECURITY
* SentinelOne’s Cybersecurity Predictions 2023 | What’s Next?
* JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS
Malware
* Cyber Risks in the Education Sector | Why Cybersecurity Needs to Be Top of
the Class
* Cybersecurity Sharing | An Infosec User’s Guide to Getting Started on
Mastodon
* LABScon | Security Research in Real Time – Talks Not To Miss, Part One
* BlackMamba ChatGPT Polymorphic Malware | A Case of Scareware or a Wake-up
Call for Cyber Security?
READ MORE
Get a demo
Defeat every attack, at every stage of the threat lifecycle with SentinelOne
Book a demo and see the world’s most advanced cybersecurity platform in action.
Get Demo
SentinelLabs
SentinelLabs: Threat Intel & Malware Analysis
We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.
VISIT SITE
Wizard Spider and Sandworm
MITRE Engenuity ATT&CK Evaluation Results
SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.
SEE RESULTS
LISTEN TO THIS POST
Table of Contents
Executive Summary
* Executive Summary
* Introduction
* eCrime Campaign against Financial Institutions
* Neo_Net
* Ankarex
* Conclusion
* Acknowledgments
* Appendix A: Targeted Financial Institutions
* Appendix B
* Appendix C: MITRE ATT&CK Tags
SEARCH
Search ...
SIGN UP
Keep up to date with our weekly digest of articles.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
RECENT POSTS
* The Good, the Bad and the Ugly in Cybersecurity – Week 26
June 30, 2023
* Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack
Chilean Army
June 29, 2023
* JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS
Malware
June 28, 2023
BLOG CATEGORIES
* Cloud
* Company
* Cyber Response
* Data Platform
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Integrations & Partners
* macOS
* The Good, the Bad and the Ugly
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Hack Chat
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
©2023 SentinelOne, All Rights Reserved.
Privacy Policy Master Subscription Agreement
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
We'd like to show you notifications for the latest news and updates.
AllowCancel