Threat actors are increasingly turning to a tool called Xeon Sender to execute large-scale SMS phishing (smishing) and spam campaigns by exploiting legitimate cloud APIs. The tool, which leverages valid credentials, targets well-known services such as Amazon SNS, Nexmo, Plivo, Twilio, and others to send bulk SMS messages. Rather than exploiting vulnerabilities within these services, Xeon Sender takes advantage of their APIs to carry out malicious activities, allowing attackers to distribute smishing messages designed to steal sensitive information from unsuspecting targets.
Xeon Sender is distributed through Telegram and hacking forums, where it has gained popularity among cybercriminals. The most recent version of the tool, attributed to a Telegram channel named Orion Toolxhub, also shares other malicious software, including tools for brute-force attacks, reverse IP address lookups, and unlimited SMS sending capabilities. Originally detected in 2022, the Python-based tool has since evolved, with various threat actors repurposing it for their own campaigns. The latest iteration even offers a web-based GUI, lowering the barrier to entry for less technically skilled attackers who may struggle with running Python scripts.
The tool’s functionality is robust, providing a command-line interface that interacts with the backend APIs of the chosen service provider. Xeon Sender enables attackers to orchestrate bulk SMS spam attacks by crafting API requests that include the sender ID, message content, and phone numbers from a predefined list. The tool also features capabilities to validate account credentials for services like Nexmo and Twilio, generate phone numbers based on country and area codes, and verify the validity of provided numbers. Although the tool’s code is cluttered with ambiguous variables, making it difficult to debug, its effectiveness lies in its ability to abuse legitimate cloud services.
The widespread use of Xeon Sender highlights the challenges in detecting and defending against such threats. Since the tool relies on provider-specific Python libraries to craft API requests, it can be difficult for security teams to identify the abuse of a given service. Each provider’s logs and libraries are unique, complicating detection efforts. To mitigate these risks, organizations are advised to monitor any activities related to SMS sending permissions, particularly any unusual changes to distribution lists or large uploads of new recipient phone numbers. By keeping a close watch on these indicators, companies can better protect themselves against the growing threat of large-scale SMS phishing campaigns driven by tools like Xeon Sender.
Reference:
