Security researchers have issued a warning about a phishing tool that threat actors can use through SaaS providers to send mass spam messages.
The tool, called 'Xeon Sender' from SentinelLabs, is a cloud-based attack tool that can send spam messages through nine different SaaS providers. The tool is also known by other names, such as 'Xeon V5' and 'SVG Sender'.
It is built with Python and works without exploiting a vulnerability on the SaaS provider's side, instead using legitimate APIs to enable the deployment of large-scale attacks.
Service providers that can use this tool include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt and Twilio, Sentinel Labs noted.
Although there are variants of the tool, none are significantly different from one another. Users interact with it through a command-line interface (CLI) that allows the attacker to communicate with the targeted service provider.
Sentinel Labs noted that attackers “must have API keys for the targeted service,” which can be an “arduous” task. This means that attackers are “likely to look for credentials belonging to accounts that have already undergone the process.”
The tool then uses “requests” within Python that can be populated based on the fields: sender ID, SMS message content, and phone number. The latter can be automatically populated using the “phone.txt” list, which the tool will loop through until a spam message has been sent to each number.
Xeon Sender could lower the bar for budding hackers
Sentinel Labs said Xeon Sender “lacks refinement” as an anti-spam tool, which reduces its appeal for more professional spam campaigns. Xeon Sender has “poor clarity” with certain API calls and “ambiguous variables” make debugging difficult.
The first version of Xeon Sender dates back to 2022, after which the tool became a “victim of its own success, with different actors regularly adding their own username to the tool's credits,” according to Sentinel Labs.
“We discovered that Xeon Sender was being distributed via Telegram (the standard distribution platform for cloud hacking tools) as well as on several smaller hacking sites and forums,” Sentinel Labs said.
Sentinel recommended that organizations “monitor for activity related to SMS sending permissions being evaluated or modified or anomalous changes to distribution lists, such as a large upload of new recipient phone numbers.”
Ultimately, the company concluded that Xeon Sender is another possibility for defenders to gain insight into how attackers target cloud services to send SMS spam, which is “an ongoing trend” according to Sentinel.
“The actors could ultimately improve Xeon Sender or incorporate features into a multi-tool that covers more attack categories,” he said.