Xeon Sender: New Cloud Attack Tool Exploited for SMS Phishing

In recent months, cybersecurity experts have identified the active use of a new tool for attacks on cloud services, known as Xeon Sender. This tool is being exploited by malicious actors to conduct phishing and spam campaigns via SMS, leveraging legitimate services.

According to SentinelOne researcher Alex Delamotte, Xeon Sender enables the dispatch of messages through various services operating under the “Software as a Service” (SaaS) model, using valid credentials. Notable among these services are Amazon SNS, Nexmo, Plivo, Twilio, and others.

A crucial aspect is that Xeon Sender does not exploit vulnerabilities within the providers themselves. Instead, attackers use legitimate APIs to send spam messages en masse. Such tools have recently gained popularity among cybercriminals for disseminating phishing messages aimed at stealing confidential information.

Xeon Sender is distributed via Telegram and various hacking forums. The latest version of the tool, available for download as a ZIP archive, references a Telegram channel called “Orion Toolxhub,” created in February 2023. This channel actively disseminates other malicious programs, such as tools for brute-force attacks and website scanning.

Xeon Sender, also known as XeonV5 and SVG Sender, was first discovered in 2022. Since then, its functionality has continually expanded and has been utilized by various malicious groups. Notably, one version of this tool is hosted on a web server with a graphical interface, making it accessible even to users with minimal technical skills.

At its core, the tool provides a command line for interacting with the APIs of selected services, facilitating large-scale SMS attacks. This suggests that the attackers already possess the necessary API keys to access the services. The requests specify the sender ID, message content, and phone numbers drawn from a pre-prepared list.

Additionally, Xeon Sender includes features for verifying credentials of Nexmo and Twilio services, generating phone numbers based on specified country and region codes, and checking the validity of the listed numbers. Although the program’s code contains many ambiguous variables that complicate debugging, researchers note that the use of specific libraries for crafting requests adds further challenges to their detection.

To defend against such threats, experts recommend that organizations monitor activity related to changes in SMS sending settings and anomalies in recipient lists, such as the mass uploading of new numbers.