August 19, 2024Ravie LakshmananCloud Security / Threat Intelligence

Malicious actors are using a cloud attack tool called Xeon Sender to conduct large-scale SMS phishing and spam campaigns by abusing legitimate services.

“Attackers can leverage Xeon to send messages through multiple Software-as-a-Service (SaaS) providers using valid service provider credentials,” said Alex Delamotte, security researcher at SentinelOne, in a report shared with The Hacker News.

Examples of services used to facilitate the mass distribution of SMS messages include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio.

It is important to note here that the activity does not exploit any inherent weaknesses of these providers. Instead, the tool uses legitimate APIs to perform bulk SMS spam attacks.

It joins tools like SNS Sender, which are increasingly being used to send mass smishing messages and ultimately obtain sensitive information from targets.

Distributed via Telegram and hacking forums, with one of the older versions attributing itself to a Telegram channel dedicated to advertising cracked hacking tools. The most recent version, available for download as a ZIP file, attributes itself to a Telegram channel called Orion Toolxhub (oriontoolxhub) that has 200 members.

Orion Toolxhub was founded on February 1, 2023. It has also made other software available for free for brute-force attacks, reverse IP address lookups, and other things, such as a WordPress site scanner, a PHP web shell, a Bitcoin clipper, and a program called YonixSMS that claims to offer unlimited SMS sending capabilities.

Xeon Sender is also known as XeonV5 and SVG Sender. Early versions of the Python-based program were detected as early as 2022. Since then, it has been repurposed by various threat actors for their own purposes.

“Another incarnation of the tool is hosted on a web server with a GUI,” Delamotte said. “This hosting method removes a potential barrier to entry, enabling less skilled actors who may not be comfortable running Python tools and resolving their dependencies.”

Regardless of the variant used, Xeon Sender provides users with a command line interface that allows them to communicate with the backend APIs of the chosen service provider and perform mass spam SMS attacks.

This also means that the threat actors are already in possession of the necessary API keys required to access the endpoints. The crafted API requests also contain the sender ID, the message content, and one of the phone numbers selected from a predefined list present in a text file.

In addition to the SMS sending methods, Xeon Sender also has features to validate Nexmo and Twilio account credentials, generate phone numbers for a given country code and area code, and check if a provided phone number is valid.

Despite the tool’s lack of finesse, SentinelOne says the source code is littered with ambiguous variables, such as single letters or a letter plus a number, making debugging much more difficult.

“Xeon Sender largely uses provider-specific Python libraries to make API requests, which presents interesting detection challenges,” Delamotte said. “Each library is unique, as are the provider logs. It can be difficult for teams to detect abuse of a particular service.”

“To defend against threats like Xeon Sender, organizations should monitor activities related to evaluating or changing permissions for sending SMS messages or anomalous changes to distribution lists, such as uploading a large number of new recipient phone numbers.”