A sophisticated tool called Xeon Sender is being exploited by cybercriminals to launch large-scale SMS phishing (smishing) and spam campaigns. By using legitimate cloud services, attackers can send massive volumes of unwanted messages while bypassing traditional security measures.
The role of Xeon Sender in SMS phishing campaigns
(Photo: Kenny Eliason from Unsplash)
Hackers using the Xeon Sender tool target software-as-a-service (SaaS) providers and can abuse legitimate services by conducting phishing and spam campaigns.
Xeon Sender allows attackers to send bulk SMS messages by leveraging multiple Software-as-a-Service (SaaS) providers using valid credentials.
According to a report by SentinelOne security researcher Alex Delamotte, this tool allows cybercriminals to exploit the APIs of services such as Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt and Twilio to send massive amounts of spam messages.
Importantly, these activities do not rely on vulnerabilities in the service providers themselves. Instead, Xeon Sender leverages legitimate APIs to conduct mass SMS spam attacks, making it an important tool in the cybercriminals’ arsenal.
The tool is similar to SNS Sender, which is often used to distribute smishing messages whose goal is to steal confidential information from unsuspecting victims.
Related article: SAP releases security patch for 17 vulnerabilities, including “Missing authentication check”
Distribution and development of Xeon Sender
Xeon Sender is widely distributed through Telegram channels and hacking forums, often accompanied by other malicious tools. One of the earlier versions even mentioned a Telegram channel dedicated to promoting cracked hacking tools.
The latest version of Xeon Sender, available for download as a ZIP file, belongs to a Telegram channel called Orion Toolxhub, which was created on February 1, 2023 and has around 200 members.
Orion Toolxhub offers a variety of other malware, including brute force attack tools, reverse IP address lookups, WordPress site scanners, PHP web shells, Bitcoin clippers, and YonixSMS, a program that claims to offer unlimited SMS sending capabilities.
Xeon Sender, also known as XeonV5 and SVG Sender, has been around since 2022. Originally developed as a Python-based program, it has been repurposed by various threat actors for their own nefarious purposes.
Over time, the tool has evolved to meet the needs of different cybercriminals. Among other things, a web server-hosted version with a graphical user interface (GUI) is now available, making it easier to use for actors with less technical knowledge.
Xeon Sender functionality and capabilities
According to The Hacker News, Xeon Sender provides users with a command-line interface (CLI) to communicate with the backend APIs of the selected service provider to orchestrate bulk SMS spam attacks. This tool also requires that the attackers already have the necessary API keys to access the service endpoints. These API requests typically contain the sender ID, message content, and phone numbers, often taken from a predefined list stored in a text file.
In addition to SMS sending capabilities, Xeon Sender includes functionality to validate account credentials for Nexmo and Twilio, generate phone numbers based on specific country and area codes, and check the validity of provided phone numbers.
Challenges in detecting and defending against Xeon Sender attacks
Despite the tool’s rudimentary design, SentinelOne points out that its source code is intentionally obfuscated with ambiguous variables, making debugging difficult. Xeon Sender primarily uses vendor-specific Python libraries to construct API requests, posing significant detection challenges for cybersecurity teams.
Because each library and provider’s protocols are unique, it can be difficult to detect abuse of these services, complicating efforts to curb these large-scale SMS spam attacks.
“To defend against threats like Xeon Sender, organizations should monitor activities related to evaluating or changing SMS sending permissions or anomalous changes to distribution lists, such as uploading large volumes of new recipient phone numbers,” said Delamotte.
Also read: T-Mobile has to pay a record fine of 60 million dollars for data security deficiencies
ⓒ 2024 TECHTIMES.com All rights reserved. No reproduction without permission.
