Cyber Security News

Neo_Net Hackers Group Targeting Users of Prominent Banks Globally

A Spanish-based threat actor Neo_Net has conducted campaigns against financial institutions and banks and achieved the highest success rate in spite of its unsophisticated tools.

The campaign has compromised a significant amount of Personally Identifiable Information (PII), including telephone numbers, national identity numbers, and names of thousands of victims.

Neo_Net has established and rented out a wide-ranging infrastructure, including phishing panels and Android trojans, to multiple affiliates, sold compromised victim data to third parties, and launched a successful Smishing-as-a-Service offering to target various countries worldwide.

As per the latest malware research conducted by SentinelOne with VX underground, they have shared the report regarding Neo_Net.

Tactics Used in Campaign

The campaign utilizes Ankarex, its smishing, as a service platform for targeting the victims through messages which contain Sender IDs (SIDs) to create an illusion of authenticity and impersonate reputable financial institutions.

These sms manipulate the victims by claiming that an unauthorized device had accessed the victim’s account or that their card had been temporarily limited due to security concerns.

The messages also contained a hyperlink to the threat actor’s phishing page.

The phishing pages look like legit banking sites that were implemented with multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners. 

Figure: phishing pages

Once the user submits the details, information will be exfiltrated to a designated Telegram chat via the Telegram Bot API, granting the threat actors unrestricted access to the stolen data, including the victims’ IP addresses and user agents.

Then threat actors coaxed victims into installing a purported security application for their bank account on their Android devices to circumvent the Multi-Factor Authentication (MFA) mechanisms.

The exfiltrated messages could then be utilized to bypass MFA on the targeted accounts by capturing One-Time Passwords (OTPs). 

The threat actors were also observed making direct phone calls to victims, possibly impersonating bank representatives and deceiving victims into installing Android spyware or divulging OTPs.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The funds illicitly acquired from victims during the course of the year-long operation amounted to a minimum of 350,000 EUR. Through his contributions on Telegram, Neo_Net has been linked to the “macosfera(.)com” forum, a Spanish-language IT forum.

Indicators of Compromise

APK SHA1 Hashes
de8929c1a0273d0ed0dc3fc55058e0cb19486b3c
b344fe1bbb477713016d41d996c0772a308a5146
8a099af61f1fa692f45538750d42aab640167fd2
ab14161e243d478dac7a83086ed4839f8ad7ded8
ded2655512de7d3468f63f9487e16a0bd17818ff
a5208de82def52b4019a6d3a8da9e14a13bc2c43
21112c1955d131fa6cab617a3d7265acfab783c2
6ea53a65fe3a1551988c6134db808e622787e7f9
62236a501e11d5fbfe411d841caf5f2253c150b8
7f0c3fdbfcdfc24c2da8aa3c52aa13f9b9cdda84
f918a6ecba56df298ae635a6a0f008607b0420b9
ffbcdf915916595b96f627df410722cee5b83f13
7b4ab7b2ead7e004c0d93fe916af39c156e0bc61
34d0faea99d94d3923d0b9e36ef9e0c48158e7a0
e6c485551d4f209a0b7b1fa9aa78b7efb51be49b
1df3ed2e2957efbd1d87aac0c25a3577318b8e2a
6a907b8e5580a5067d9fb47ef21826f164f68f3f
5d1c7ff3d16ec770cf23a4d82a91358b9142d21a
86ad0123fa20b7c0efb6fe8afaa6a756a86c9836
14a36f18a45348ad9efe43b20d049f3345735163
b506503bb71f411bb34ec8124ed26ae27a4834b9
afe84fa17373ec187781f72c330dfb7bb3a42483
445468cd5c298f0393f19b92b802cfa0f76c32d4
8491ff15ad27b90786585b06f81a3938d5a61b39
2714e0744ad788142990696f856c5ffbc7173cf4
1ce0afe5e09b14f8aee6715a768329660e95121e
96a3600055c63576be9f7dc97c5b25f1272edd2b
9954ae7d31ea65cd6b8cbdb396e7b99b0cf833f4
07159f46a8adde95f541a123f2dda6c49035aad1
ab19a95ef3adcb83be76b95eb7e7c557812ad2f4
db8eeab4ab2e2e74a34c47ad297039485ff75f22
dbf0cec18caabeb11387f7e6d14df54c808e441d
69d38eed5dc89a7b54036cc7dcf7b96fd000eb92
c38107addc00e2a2f5dcb6ea0cbce40400c23b49
279048e07c25fd75c4cef7c64d1ae741e178b35b
ef8c5d639390d9ba138ad9c2057524ff6e1398de
e7c2d0c80125909d85913dfb941bdc373d677326
145bd67f94698cc5611484f46505b3dc825bd6cd

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Sujatha

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.

Recent Posts

AT&T Massive Data Breach – Affecting Nearly All Customers’ Call & Text Records

AT&T, one of the largest telecommunications companies in the United States, has disclosed a significant…

8 hours ago

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

11 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

12 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

14 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

14 hours ago

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA)…

15 hours ago