Malicious actors are using a cloud attack tool named Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by abusing legitimate services.
“Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.
Examples of the services used to facilitate the en masse distribution of SMS messages include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, Twilio.
It’s important to note here that the activity does not exploit any inherent weaknesses in these providers. Rather, the tool uses legitimate APIs to conduct bulk SMS spam attacks.
It joins tools like SNS Sender that have increasingly become a way to send bulk smishing messages and ultimately capture sensitive information from targets.
Distributed via Telegram and hacking forums, with one of the older versions crediting a Telegram channel devoted to advertising cracked hacktools. The most recent version, available for download as a ZIP file, attributes itself to a Telegram channel named Orion Toolxhub (oriontoolxhub) that has 200 members.
Orion Toolxhub was created on February 1, 2023. It has also freely made available other software for brute-force attacks, reverse IP address lookups, and others such as a WordPress site scanner, a PHP web shell, a Bitcoin clipper, and a program called YonixSMS that purports to offer unlimited SMS sending capabilities.
Xeon Sender is also referred to as XeonV5 and SVG Sender. Early versions of the Python-based program have been detected as early as 2022. It has since been repurposed by several threat actors for their own purposes.
“Another incarnation of the tool is hosted on a web server with a GUI,” Delamotte said. “This hosting method removes a potential barrier to access, enabling lower skilled actors who may not be comfortable with running Python tools and troubleshooting their dependencies.”
Xeon Sender, regardless of the variant used, offers its users a command-line interface that can be used to communicate with the backend APIs of the chosen service provider and orchestrate bulk SMS spam attacks.
This also means that the threat actors are already in possession of the necessary API keys required to access the endpoints. The crafted API requests also include the sender ID, the message contents, and one of the phone numbers selected from a predefined list present in a text file.
Xeon Sender, besides its SMS sending methods, incorporates features to validate Nexmo and Twilio account credentials, generate phone numbers for a given country code and area code, and check if a provided phone number is valid.
Despite a lack of finesse associated with the tool, SentinelOne said the source code is replete with ambiguous variables like single letters or a letter plus a number to make debugging a lot more challenging.
“Xeon Sender largely uses provider-specific Python libraries to craft API requests, which presents interesting detection challenges,” Delamotte said. “Each library is unique, as are the provider’s logs. It may be difficult for teams to detect abuse of a given service.”
“To defend against threats like Xeon Sender, organizations should monitor activity related to evaluating or modifying SMS sending permissions or anomalous changes to distribution lists, such as a large upload of new recipient phone numbers.”