Security researchers have issued a warning over a phishing tool that threat actors can use via SaaS providers to send spam messages en-masse.
The tool, dubbed ‘Xeon Sender’ by SentinelLabs, is a cloud-based attack tool that can send spam messages via nine different SaaS providers. The tool is also known by alternative names, including ‘XeonV5’ and ‘SVG Sender’.
It’s built using Python and works without leveraging a vulnerability on the SaaS provider side, instead using legitimate APIs to enable the deployment of large-scale attacks.
The service providers this tool can use include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio, Sentinel Labs warned.
Though there are variations of the tool, none are significantly different from one another. Users interact with it through a command line interface (CLI) which allows the attacker to communicate with the targeted service provider.
Sentinel Labs noted that attackers “must have API keys for the targeted service” which can be an “arduous” task. This means attackers are “likely to seek credentials belonging to accounts that have already undergone the process.”
The tool then uses “requests” within Python that can be filled out according to fields – sender ID, SMS message content, and phone number. The latter of these can be automatically filled using the “phone.txt” list, which the tool will loop through until a spam message has been delivered to every number.
Xeon Sender could lower the bar for entry-level hackers
Sentinel Labs stated that Xeon Sender “lacks polish” as a spam tool, lowering its appeal for more professional spam campaigns. Xeon Sender has “little clarity” with certain API calls and “ambiguous variables” make debugging more difficult.
The earliest version of Xeon Sender can be traced back to 2022, following which point the tool became a “victim of its own success, with different actors regularly adding their own handle to the tool credits,” according to Sentinel Labs.
“We found Xeon Sender being distributed through Telegram–the standard cloud hacktool distribution platform–as well as various smaller hacking forums and sites,” Sentinel Labs stated.
Sentinel advised organizations to “monitor activity related to evaluating or modifying SMS sending permissions or anomalous changes to distribution lists, such as a large upload of new recipient phone numbers.”
Ultimately, the firm concluded that Xeon Sender is another possibility for defenders to gain insight into how attackers target cloud services to send SMS spam, which is “an ongoing trend” according to Sentinel.
“Actors may ultimately improve on Xeon Sender, or roll features into a multi-tool that covers more attack categories,” it said.