Electronic criminals from Mexico have been implicated in an Android mobile malware campaign that targeted financial institutions worldwide from June 2021 to April 2023, with a particular focus on Spanish and Chilean banks. was placed.
This activity is believed to be by the code-named attacker. Neonetsaid security researcher Paul Till. The findings were published by SentinelOne in response to a malware research challenge in partnership with vx-underground.
“Despite using relatively simple tools, Neo_Net has achieved a high success rate by tailoring its infrastructure to specific targets, resulting in the removal of €350,000 from victim bank accounts. This was stolen and compromised the personally identifiable information (PII) of thousands of victims,” said Thill. He said.
Primary targets include banks such as Santander, BBVA, Caixa Bank, Deutsche Bank, Crédit Agricole, and ING.
Neo_Net has ties to Spanish-speaking actors in Mexico, including selling phishing panels, selling compromised victim data to third parties, and offering a smishing-as-a-service called Ankarex. and have established themselves as adept cybercriminals. Designed to target many countries around the world.
The first point of entry for multi-stage attacks is SMS phishing. In this attack, attackers use a variety of scare tactics to trick unsuspecting recipients into clicking on fake landing pages to harvest and steal credentials via Telegram bots.
“The phishing page was meticulously configured using Neo_Net’s panel PRIV8, implementing multiple defenses such as blocking requests from non-mobile user agents and hiding the page from bots and network scanners. “We had a lot of fun,” Thill explained.
“These pages are designed to closely resemble real banking applications, complete with animations that create a compelling look.”
Attackers have also been seen tricking bank customers into installing rogue Android apps under the guise of security software. This app, once installed, requests SMS permission to retrieve her SMS-based Two-Factor Authentication (2FA) code sent by her bank.
Meanwhile, the Ankarex platform has been active since May 2022. It is actively promoted on the Telegram channel, which has about 1,700 subscribers.
“The service itself is accessible via ankarex[.]After going online and registering, users can use cryptocurrency transfers to upload funds and specify SMS content and target phone numbers to launch their own smishing campaigns,” said Till. increase.
The development comes as ThreatFabric details a new Anatsa (aka TeaBot) banking Trojan campaign that has been targeting banking customers in the US, UK, Germany, Austria and Switzerland since early March 2023. rice field.
