Mexican e-criminals have been linked to an Android mobile malware campaign targeting financial institutions globally, but with a particular focus on Spanish and Chilean banks, from June 2021 to April 2023.
This activity is associated with an actor codename Neo_Net, according to security researcher Pol Thill. These findings were published by SentinelOne following the Malware Research Challenge in collaboration with vx-underground.
“Despite using relatively unsophisticated tools, Neo_Net has achieved a high degree of success by customizing their infrastructure for specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising the Personally Identifiable Information (PII) of thousands of victims,” Thill said.
Some of the main targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole and ING.
Neo_Net, related to Spanish-speaking actors living in Mexico, have established themselves as seasoned cybercriminals, involved in selling phishing panels, compromised victim data to third parties, and smishing-as-a-service offerings that Ankarex calls devised. to target a number of countries around the world.
The initial entry point for multi-stage attacks is SMS phishing, in which threat actors use various scare tactics to trick unwitting recipients into clicking fake landing pages to harvest and extract their credentials via Telegram bots.
“The phishing page is carefully orchestrated using the Neo_Net panel, PRIV8, and employs several defensive measures, including blocking requests from non-mobile user agents and hiding the page from bots and network scanners,” explains Thill.
“This page is designed very much like a real banking app, complete with animations to create a convincing façade.”
Threat perpetrators have also been observed fooling bank customers into installing rogue Android apps under the guise of security software that, once installed, request SMS permissions to capture SMS-based two-factor authentication (2FA) codes sent by banks.
The Ankarex platform, for its part, has been active since May 2022. It is actively promoted on the Telegram channel which has about 1,700 subscribers.
“The service itself is accessible on ankarex(.)net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone number,” said Thill.
The developments come as ThreatFabric details a new Anatsa (aka TeaBot) banking trojan campaign that has been targeting banking customers in the US, UK, Germany, Austria and Switzerland since early March 2023.