Threat Research

Neo_Net | The Kingpin of Spanish eCrime

Securonix

Neo_Net runs a global eCrime campaign targeting thousands of bank clients, focusing on Spanish and Chilean banks, from June 2021 to April 2023. The operation includes Ankarex Smishing-as-a-Service, phishing panels, and Android trojans to exfiltrate data via Telegram and steal funds and PII. #Neo_Net #Ankarex

Keypoints

  • Neo_Net led a worldwide eCrime campaign targeting bank clients, with a focus on Spanish and Chilean banks (e.g., Santander, BBVA, CaixaBank).
  • From June 2021 to April 2023, the operation caused over 350,000 EUR in theft and exposed PII from thousands of victims.
  • The attack used a multi-stage approach beginning with targeted SMS phishing (Ankarex SID) to impersonate trusted financial institutions.
  • Neo_Net built and rented a broad infrastructure (phishing panels, Smishing software, Android trojans) and offered Smishing-as-a-Service to affiliates.
  • Credentials and data were exfiltrated via Telegram, with MFA bypass techniques including Android SMS spyware and OTP interception.
  • Neo_Net operates from Mexico, targets Spanish-speaking countries, and runs Ankarex with a Telegram channel of about 1,700 subscribers.
  • Legacy and ongoing eCrime against mobile users in Spain are linked to Neo_Net’s campaigns, underscoring SMS-based MFA weaknesses and OPSEC considerations.

MITRE Techniques

  • [T1406.002] Obfuscated Files or Information: Software Packing – Some APK files are packed and drop the unpacked dex file once executed. ‘Some APK files are packed and drop the unpacked dex file once executed’
  • [T1633.001] Virtualization/Sandbox Evasion: System Checks – Some APK files have been modified and initially check for common sandbox names before unpacking. ‘Some APK files have been modified and initially check for common sandbox names before unpacking’
  • [T1426] System Information Discovery – The Sms Eye trojan collects the brand and model of the infected phone. ‘The Sms Eye trojan collects the brand and model of the infected phone’
  • [T1636.004] Protected User Data: SMS Messages – The Sms Eye trojan collects incoming SMS messages. ‘The Sms Eye trojan collects incoming SMS messages’
  • [T1437.001] Application Layer Protocol: Web Protocols – The Sms Eye trojan exfiltrates SMS messages over HTTPS. ‘The Sms Eye trojan exfiltrates SMS messages over HTTPS’
  • [T1481.003] Web Service: One-Way Communication – The Sms Eye trojan uses the Telegram Bot API to exfiltrate SMS messages. ‘The Sms Eye trojan uses the Telegram Bot API to exfiltrate SMS messages’
  • [T1521.002] Encrypted Channel: Asymmetric Cryptography – The C2 channel is encrypted by TLS. ‘The C2 channel is encrypted by TLS’
  • [T1646] Exfiltration Over C2 Channel – The SMS messages are exfiltrated over the C2 channel. ‘The SMS messages are exfiltrated over the C2 channel’

Indicators of Compromise

  • [APK SHA1 Hashes] context – de8929c1a0273d0ed0dc3fc55058e0cb19486b3c, b344fe1bbb477713016d41d996c0772a308a5146, and 37 more hashes
  • [Phishing Domains] context – bbva.info-cliente[.]net, santander.esentregas[.]ga, bbva.esentregas[.]ga, correos.esentregas[.]ga and 0 more domains
  • [Android package names] context – com.neonet.app.reader.MainActivity, com.cannav.cuasimodo.jumper.actividades, and 8 more packages
  • [Domain] ankarex.net – Ankarex Smishing-as-a-Service platform
  • [Domain] macosfera.com – Phishing panels linked to Neo_Net’s operations

Read more: https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint