In recent months, cybersecurity experts have discovered the active use of a new tool for attacks in cloud services called Xeon Sender. This instrument is used by attackers for phishing and spam campaigns through SMS, operating legitimate services.
An important aspect is that Xeon Sender does not exploit the vulnerability of the providers themselves. Instead, attackers use legal APIs for the mass dispatch of spam messages. Similar tools have recently become more and more popular among cybercriminals for sending phishing messages to steal confidential information.
The Xeon Sender is distributed via Telegram and various forums devoted to hacking software. The latest version of the tool, available for download in the form of a ZIP archive, refers to the Telegram channel “Orion Toolxhub,” created in February 2023. This channel actively spreads other malware, such as brumbors-edat tools and scanning websites.
Xeon Sender, also known as Xeonv5 and SVG Sender, was first discovered in 2022. Since then, its functionality has constantly expanded and has been used by various groups of attackers. It is noteworthy that one version of this tool is placed on a web server with a graphic interface, making it available even for users with minimal technical skills.
In the database, the tool provides a command line for interacting with the API of the selected services, allowing for the organization of mass SMS attacks. Attackers must already have the necessary API key aids for access to services. The requests indicate the sender identifier, the content of the message, and telephone numbers taken from a predefined list.
Additionally, Xeon Sender includes functions for checking the accounting data of NexMo and Twilio services, generating telephone numbers based on given country and region codes, and validating the indicated numbers. Despite the program code containing many ambiguous variables that impede debugging, researchers note that the use of specific libraries to create requests creates additional difficulties in detecting them.
To protect against such threats, experts recommend that organizations monitor activity related to changes in SMS sending settings and abnormal changes in recipient lists, such as the mass loading of new numbers.