Neo_Net: Decoding the Reign of a Cybercrime Mastermind

Interestingly, the observed lines of code in the malicious APK file have been intentionally programmed by the Threat Actors to offer an alternative source of income in case the victim does not fall for their Phishing Scheme. This indicates that the threat actors have devised a backup plan to generate revenue even if the primary phishing attempt is unsuccessful.

Based on the overall analysis on the Android malware’s source code, the application is capable of the following behavior:

1. Intercepting & Receiving SMS
2. Capturing Mobile Device Passwords
3. Sending and Receiving Data from its C&C Server
4. Retrieving SMS Data
5. Collecting Contact Details
6. Screen Capturing and Recording
7. Capturing Pictures/Images
8. Accessing its Location
9. Disabling Keyguard
10. Listing the current Installed Applications

Based on the above screenshot, it’s clear that the APK itself is inherently malicious due to the extensive and direct permissions it requests upon installation. During our testing, we installed the APK file on a test machine and observed that it immediately impersonates a well-known Spanish bank, CaixaBank. Upon executing the application, it displays the screenshot shown below, further confirming its malicious nature.

Interestingly, upon execution, the application shows a web version of CaixaBank’s Online Portal with the application named “Mi Vodafone”.

When an unsuspecting individual enters their banking credentials, the stolen information is sent to a telegram channel “hxxp://api[.]telegram[.]org/bot5{BLOCKED}19:AAFvxSA{BLOCKED}DXfd590MPhv41BwAqo/send
Message” . The credentials are then viewed and collected by the cybercriminals.

The Threat Actor: Neo_Net

Neo_Net has a significant online presence, particularly on underground markets and its dedicated Telegram Channel. As depicted in the above screenshot, Neo_Net has been active since 2007 and claims to be the CEO of its Smishing-as-a-Service Platform called Ankarex. Interestingly, according to its Telegram bio, the threat actor also boasts a Cybersecurity Certification CEH, typically associated with “Ethical Hackers.” Cyberint also noticed Neo_Net’s existence on GitHub, where the threat actor has publicly shared code in its own repository.

As observed on Neo_Net’s GitHub repository, it has some public repositories namely a “undetected-facebook-phishing” which is highly likely to be a Phishing Kit for Facebook users and a BIN Checker to automate the checking of Credit Card BIN Numbers.

After conducting further investigation, it was discovered that Neo_Net’s GitHub repository is registered under the email address “star-@ -macosfera.com,” which is associated with an already taken-down illegal forum.

The research on Neo_Net has uncovered a worrisome expansion of criminal activities, targeting various countries and industries worldwide. Notably, Neo_Net has moved beyond solely targeting financial applications and now offers “Smishing-as-a-Service,” providing rental services of its SMS Phishing Platform to affiliates and other malicious actors for their campaigns. Additionally, they have devised a profitable scheme by deploying fake applications with advertisement modules to generate revenue and selling stolen credentials to third-party websites.

Recommendations To Protect From Neo_Net Activity

• If your organization uses third-party ad networks, regularly monitor their activities, and ensure they adhere to security and privacy standards. This can help prevent the distribution of malicious advertisements.
• Promote awareness among mobile device users about the risks associated with downloading applications from unofficial sources and clicking on suspicious links or attachments.
• Collaborate with other financial institutions and cybersecurity organizations to share threat intelligence. A collective effort can help identify and respond to emerging cyber threats more effectively.
• Encourage users to download applications exclusively from trusted app stores, such as Google Play Store and Apple App Store, with robust security measures in place.
• Encourage users to install reputable mobile security applications that provide real-time threat detection and protection against malware and phishing attempts.
• Emphasize the importance of keeping devices and applications up to date, as software updates often include security patches that address vulnerabilities exploited by malware.
• Develop and implement an incident response plan to swiftly address and mitigate potential malware infections, including prompt user notifications and data breach remediation.

About Cyberint

Cyberint’s impactful intelligence solution combines cyber threat intelligence, external attack surface management, brand protection, and digital supply chain intelligence into a single, powerful platform. By leveraging autonomous discovery of all of an organization’s external-facing assets, coupled with open, deep & dark web intelligence, the solution enables cybersecurity teams to accelerate the detection and disruption of their most pressing cyber risks. Global customers, including Fortune 500 leaders across all major market verticals, rely on Cyberint to prevent, detect, investigate, and remediate phishing, malware, fraud, brand abuse, data leaks, external vulnerabilities, and more, ensuring continuous external protection from cyber threats.