A cloud-based tool named Xeon Sender has enabled attackers to conduct large-scale SMS spam and phishing campaigns by leveraging legitimate software-as-a-service (SaaS) providers.
Distributed through Telegram and various hacking forums, Xeon Sender simplifies the process of sending bulk SMS messages by using valid API credentials from popular service providers such as Amazon SNS, Twilio and Plivo.
Xeon Sender Features and Threat Assessment
Xeon Sender, first identified in 2022 and further described in an advisory by SentinelLabs today, has evolved with minimal changes despite multiple cybercriminals claiming authorship.
“Attribution remains open to interpretation in the context of script-based cloud attack tools where one actor can easily put their name inside a tool to replace the previous author,” said SentinelLabs researcher Alex Delamotte. “Despite many actors claiming this tool as their own, we have observed no significant deviations between known versions.”
This tool is notable for its ability to send bulk messages using the APIs of nine different SMS providers. Attackers using Xeon Sender require specific API keys and other credentials to interact with these services, which they often obtain from compromised accounts.
Key features of the tool include:
- Sending SMS spam using APIs from providers like Amazon SNS and Twilio
- Validating credentials for accounts on Nexmo and Twilio
- Generating phone numbers and checking their validity against online databases
Despite its simplicity, Xeon Sender lacks robust error handling, which may hinder its adoption by more sophisticated cybercriminals. However, SentinelLabs warned it still poses a significant threat due to its ease of use and the widespread availability of the necessary credentials.
“Other tools like AlienFox have evolved over time as different actors adapt the tools, often bringing improvements,” Delamotte explained. “Actors may ultimately improve on Xeon Sender or roll features into a multi-tool that covers more attack categories.”
The detection of Xeon Sender presents challenges for cybersecurity teams, as it primarily relies on provider-specific Python libraries, making it difficult to track and stop the misuse of these services.
Organizations are advised to monitor changes in SMS sending permissions and unusual uploads of phone numbers to mitigate risks. The tool’s ability to use legitimate services for spam also calls for vigilant monitoring and stricter controls on API usage.