A sophisticated tool named Xeon Sender is being exploited by cybercriminals to launch large-scale SMS phishing (smishing) and spam campaigns. By leveraging legitimate cloud services, attackers can send massive volumes of unsolicited messages, bypassing traditional security measures.
The Role of Xeon Sender in SMS Phishing Campaigns
Xeon Sender enables attackers to send bulk SMS messages by leveraging multiple software-as-a-service (SaaS) providers through the use of valid credentials.
According to a report by SentinelOne security researcher Alex Delamotte, this tool allows cybercriminals to exploit the APIs of services such as Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio to send massive amounts of spam messages.
Importantly, these activities do not rely on any vulnerabilities within the service providers themselves. Instead, Xeon Sender uses legitimate APIs to conduct bulk SMS spam attacks, making it a significant tool in the arsenal of cybercriminals.
The tool is similar to SNS Sender, which is frequently used to distribute smishing messages that aim to steal sensitive information from unsuspecting victims.
Related Article : SAP Releases Security Patch for 17 Vulnerabilities Including 'Missing Authentication Check' Bug
Distribution and Evolution of Xeon Sender
Xeon Sender is widely distributed through Telegram channels and hacking forums, often accompanied by other malicious tools. One of the earlier versions even credited a Telegram channel dedicated to promoting cracked hacktools.
The latest iteration of Xeon Sender, available for download as a ZIP file, attributes itself to a Telegram channel named Orion Toolxhub, which was created on February 1, 2023, and has around 200 members.
Orion Toolxhub offers a variety of other malicious software, including tools for brute-force attacks, reverse IP address lookups, WordPress site scanners, PHP web shells, Bitcoin clippers, and YonixSMS, a program that claims to provide unlimited SMS sending capabilities.
Xeon Sender, also known as XeonV5 and SVG Sender, has been around since 2022. Initially developed as a Python-based program, it has been repurposed by various threat actors for their own nefarious purposes.
Over time, the tool has evolved to meet the needs of different cybercriminals, including a web server-hosted version with a graphical user interface (GUI) that simplifies its use for less technically skilled actors.
Functionality and Capabilities of Xeon Sender
According to The Hacker News, Xeon Sender offers users a command-line interface (CLI) to communicate with the backend APIs of the selected service provider, enabling them to orchestrate bulk SMS spam attacks. This tool also requires that the attackers already possess the necessary API keys to access the service endpoints. These API requests typically include the sender ID, message content, and phone numbers, which are often sourced from a predefined list stored in a text file.
In addition to its SMS sending capabilities, Xeon Sender includes features to validate account credentials for Nexmo and Twilio, generate phone numbers based on specific country and area codes, and check the validity of provided phone numbers.
Challenges in Detecting and Mitigating Xeon Sender Attacks
Despite the tool's rudimentary design, SentinelOne notes that its source code is deliberately obfuscated with ambiguous variables, making it challenging to debug. Xeon Sender primarily uses provider-specific Python libraries to craft API requests, which presents significant detection challenges for cybersecurity teams.
Since each library and provider's logs are unique, detecting the abuse of these services can be difficult, complicating efforts to mitigate these large-scale SMS spam attacks.
"To defend against threats like Xeon Sender, organizations should monitor activity related to evaluating or modifying SMS sending permissions or anomalous changes to distribution lists, such as a large upload of new recipient phone numbers," Delamotte said.