Xeon Sender (Infostealer) – Malware

Overview

Xeon Sender is a sophisticated Python-based tool designed for large-scale SMS spam and phishing (smishing) attacks, leveraging legitimate Software-as-a-Service (SaaS) providers’ APIs to send unsolicited messages. First discovered in 2022, this malware has rapidly gained traction among cybercriminals, who have rebranded and repurposed it for various malicious campaigns. What makes Xeon Sender particularly insidious is its use of authorized API credentials, which allows it to send bulk SMS messages through trusted services like Twilio, Amazon SNS, and Nexmo. By utilizing these established platforms, the tool bypasses traditional security measures, making it harder for service providers to distinguish between legitimate traffic and malicious use. The tool’s functionality is deceptively simple but highly effective. Attackers can configure Xeon Sender to send large volumes of SMS messages, often with phishing links or other forms of malicious content. Once configured with API keys and other necessary credentials, Xeon Sender interacts with the SaaS provider’s APIs, sending messages to a list of targeted phone numbers. The tool’s ability to work across multiple SMS services makes it versatile and difficult to counter, as it spreads its activities across a range of different providers, reducing the risk of detection through conventional means.

Targets

Individuals

How they operate

To execute a successful attack, the malware requires API keys and credentials for each targeted service provider. These credentials are typically obtained through stolen or compromised accounts that have already gone through the necessary verification processes for these services. Once the attacker has the required API keys, Xeon Sender can be configured to send messages by interacting with the APIs of the chosen service providers. The tool allows the attacker to specify several parameters, such as the sender ID, message contents, and recipient phone numbers, all of which are stored in the tool’s configuration files. Once initialized, Xeon Sender works by calling the API-specific methods associated with each provider. For example, the tool uses the Python requests library to send API requests to platforms like Twilio and Nexmo. These requests contain the necessary authentication credentials (such as API key and secret) and the required message parameters (sender ID, message content, and recipient phone number). In the case of platforms like Proovl, the tool instead relies on Python’s urllib module to craft HTTP requests with custom headers. The payload for each message is retrieved from the tool’s configuration files, which are set up by the attacker, ensuring that the content can be easily customized for each campaign. The malware’s effectiveness is largely due to its ability to send SMS messages at scale through multiple services, allowing it to bypass rate-limiting measures or detection systems employed by individual providers. The tool uses a simple looping mechanism to cycle through a list of recipient phone numbers, sending each one an SMS message with a brief delay (typically 50 milliseconds) between each iteration. This ensures that a large number of messages can be sent in a short time frame, significantly increasing the scale of the attack. In addition to the primary SMS-sending functionality, Xeon Sender contains several auxiliary tools to support the operation. For example, it includes an account checker for validating the credentials of Twilio and Nexmo accounts, which allows attackers to test whether their obtained API keys are valid. The malware also features a phone number generator that can create random numbers based on specific parameters (such as country code and area code), which can be used to populate the recipient list for the SMS campaign. Furthermore, a phone number checker tool verifies the validity of phone numbers by interfacing with external services like APILayer.com. One of the main technical challenges for defenders is that Xeon Sender utilizes different API libraries for each service, making detection difficult. Each library has its unique signature and interacts with the corresponding SaaS provider in a way that can vary. Additionally, since the tool uses legitimate services to send the messages, detecting and blocking the malicious activity purely based on API usage is challenging. Service providers typically report only success messages for SMS delivery, leaving little room for further investigation of suspicious activity.

MITRE Tactics and Techniques

Initial Access (T1071) – Application Layer Protocol

Xeon Sender utilizes legitimate API services (such as Twilio, Nexmo, and AWS SNS) for sending bulk SMS messages, which may represent an entry vector through compromised credentials. This would fall under initial access via legitimate communication protocols like HTTP or API access.

Execution (T1203) – Exploitation for Client Execution

The tool itself is a Python script that can be executed on the victim’s system. Although this attack vector is typically cloud-based, the execution of the script itself is a direct use of system resources, resulting in the delivery and execution of the malicious functionality.

Persistence (T1071) – Application Layer Protocol

The malware may maintain persistence through legitimate service provider accounts that have been compromised or fraudulently obtained. The attacker can continue using valid API credentials over extended periods without raising alarms, making it difficult to detect.

Privilege Escalation (T1078) – Valid Accounts

The attackers leverage valid credentials for various SaaS providers to perform malicious actions. These credentials are often obtained through earlier compromises or phishing campaigns targeting the credentials of service provider accounts, enabling attackers to execute bulk messaging campaigns.

Defense Evasion (T1071) – Application Layer Protocol

Xeon Sender uses legitimate APIs from services like Twilio, Nexmo, and others, making it harder for security systems to differentiate between normal and malicious activity. The use of these trusted services aids in evading traditional defenses, such as anomaly detection based on IP address or specific request patterns.

Credential Dumping (T1003) – Credentials from Web Browsers

Though Xeon Sender does not typically engage in the direct dumping of credentials from browsers, attackers often rely on previously compromised accounts or credentials from third-party data breaches, thus potentially facilitating attacks that involve dumping credentials for legitimate services.

Exfiltration (T1041) – Exfiltration Over Command and Control Channel

While not a traditional exfiltration method, the gathering and use of stolen credentials via a command and control channel (e.g., through Telegram or other platforms) can be considered a form of exfiltrating valuable information to maintain control over the attack.

Impact (T1071) – Data Encrypted for Impact

While Xeon Sender doesn’t encrypt data, the tool’s use of SMS campaigns often targets users with phishing links or malicious attachments, impacting the victim by exploiting their personal data for further campaigns or financial gain.  

References:

• Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials