Xeon Sender Abusing Nine SaaS providers For Massive SMS Attacks


Xeon Sender, a Python script, is a tool that enables threat actors to send spam messages through nine different SaaS providers.

Initially observed in 2022, various threat actors have reused and rebranded this tool in the cloud hacktool scene. 

EHA

By leveraging SaaS platforms, Xeon Sender facilitates SMS spam and smishing campaigns, which are increasingly used as tactics to execute malicious activities.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

A cloud attack tool exploits legitimate APIs of various SaaS providers, including Amazon SNS, Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio, to conduct bulk SMS spam and phishing campaigns. 

Xeon Sender Abusing Nine SaaS providers For Massive SMS Attacks
Diff against the oldest and most recent version of Xeon Sender.

The tool leverages the valid credentials of these service providers to send messages en masse, bypassing any security weaknesses in the service providers themselves. 

Distributed through Telegram and other hacking forums, Xeon Sender poses a significant threat to users who these malicious campaigns may target.

It originated in 2022 and has since undergone minor modifications by various actors; despite these changes, the core functionality remains consistent. 

The tool has been widely distributed through online forums and Telegram channels, gaining significant popularity among cybercriminals.

In June 2023, a post on a hacking forum promoting Xeon Sender garnered substantial attention from the community, further solidifying its reputation.

Xeon Sender Abusing Nine SaaS providers For Massive SMS Attacks
Xeon posts on a cybercriminal  

The SMS sender tool has evolved from a Python-based application to a web-based interface, making it more accessible to individuals with limited technical skills, which simplifies the use of the tool by eliminating the need for users to install Python or manage dependencies. 

Additionally, a variant of the tool, known as SVG SMS, has been identified and attributed to a user named Savage Benz on Telegram, suggesting that the tool’s development and distribution are ongoing and may involve multiple individuals or groups.

Xeon Sender Abusing Nine SaaS providers For Massive SMS Attacks
SVG SMS variant of Xeon Sender

Xeon Sender is a malicious Python script facilitating SMS spam attacks through nine different SMS service providers by offering a user-friendly interface for attackers to leverage the providers’ APIs with stolen credentials. 

It requires various inputs, like API keys, sender IDs, and recipient phone numbers stored in separate text files, and utilizes the Python requests library or service-specific modules to craft requests containing the message and iterate through the recipient list, sending SMS spam with a short delay between each message. 

Xeon Sender Abusing Nine SaaS providers For Massive SMS Attacks
Telesign function in Xeon Sender

It is a tool for sending SMS spam attacks through the APIs of multiple providers that use provider-specific Python libraries to craft requests, making detection difficult.

While the tool itself lacks polish, defenders should monitor activities related to SMS sending permissions and distribution lists to identify potential abuse. 

According to Sentinel Labs, Xeon Sender targets existing accounts likely obtained through other tools and exploits weaknesses in the error handling of some providers (e.g., reporting only a ‘Success’ message regardless of outcome). 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces



Source link