Scroll Top

Mexican hacker (group) Neo_Net targets global banks with Android Malware

The European Central Bank in Frankfurt

In a recent revelation, a Mexican cybercriminal known as Neo_Net has been identified as the mastermind behind a sophisticated Android mobile malware campaign that specifically targets global financial institutions, with a notable focus on Spanish and Chilean banks. The campaign, which ran from June 2021 to April 2023, has resulted in significant financial losses and the compromise of sensitive personally identifiable information (PII) of thousands of victims.

Security researcher Pol Thill, in collaboration with vx-underground, uncovered the activities of the actor codenamed Neo_Net during a Malware Research Challenge. Despite utilizing relatively unsophisticated tools, Neo_Net has achieved a remarkably high success rate by tailoring their infrastructure to the specific targets, leading to the theft of over 350,000 EUR from victims’ bank accounts.

Prominent financial institutions targeted by Neo_Net include Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING. The cybercriminal, believed to be a Spanish-speaking individual residing in Mexico, has gained a reputation as an experienced e-crime actor, engaging in the sale of phishing panels and compromised victim data to third parties. They have also offered a service called Ankarex, which specializes in smishing attacks and targets multiple countries globally.

The attack begins with SMS phishing, in which Neo_Net employs various scare tactics to deceive unsuspecting recipients into clicking on fraudulent landing pages. Through a Telegram bot, the actor then harvests and exfiltrates victims’ credentials. These phishing pages were meticulously designed using Neo_Net’s panels, PRIV8, and featured multiple defensive measures, such as blocking requests from non-mobile user agents and evading detection by bots and network scanners. The pages were created to closely mimic authentic banking applications, complete with convincing animations to deceive users.

In addition to phishing, the threat actors have been observed tricking bank customers into installing rogue Android apps disguised as security software. Once installed, these apps request SMS permissions to capture two-factor authentication (2FA) codes sent by the bank, enabling Neo_Net to bypass an additional layer of security. The Ankarex platform, utilized by the hackers since May 2022, is actively promoted on a Telegram channel boasting approximately 1,700 subscribers.

Meanwhile, cybersecurity firm ThreatFabric recently detailed a separate banking trojan campaign, named Anatsa or TeaBot, targeting banking customers in the United States, United Kingdom, Germany, Austria, and Switzerland since March 2023.

As financial institutions continue to face evolving cyber threats, proactive measures and heightened security awareness become imperative to safeguard customer accounts and personal information from the clutches of cybercriminals like Neo_Net.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.