Xeon Sender

12895043483?profile=RESIZE_400xXeon Sender (aka XeonV5, SVG Sender) is a cloud attack tool that can be used to send Short Message Service (SMS) messages en masse to conduct spam and phishing (aka smishing) campaigns.  Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers.  There are no weaknesses on the service provider side that are leveraged for these attacks; rather, the tool uses legitimate APIs to enable bulk SMS spam attacks.

The service providers this tool uses include:

  • Amazon Simple Notification Service (SNS)
  • Nexmo
  • Plivo
  • Proovl
  • Send99
  • Telesign
  • Telnyx
  • TextBelt
  • Twilio

Researchers found Xeon Sender being distributed through Telegram, the standard cloud hack tool distribution platform, and various smaller hacking forums and sites.  There is no apparent relationship between Xeon Sender and the Intel processor family, which have the same name.[1]

SMS Spam Shipping Multi-Tool Targeting SaaS Credentials

History & Distribution - The earliest known version of Xeon Sender dates back to at least 2022 in a version that credits handle @darkworld47.  Like many other cloud hacktools, Xeon Sender became a victim of its own success, with different actors regularly adding their handles to the tool credits.  

Aside from the tool’s purported author and occasionally the tool name, there are no significant differences across any Sentinel-identified samples.
12895050662?profile=RESIZE_584xDiff against the oldest and most recent version of Xeon Sender

One of the older versions gives credit to a Telegram channel known for distributing cracked hacktools and is also credited in older versions of the AlienFox cloud infostealer.  The most recent version credits the script to a Telegram channel with over 200 members, where the author posts various tools and shares details and screenshots of how the tools work.
12895052074?profile=RESIZE_584xXeon Sender main menu

In June 2023, the administrator posted Xeon Sender on a hack tool and cybercrime discussion forum. The post received more than 70 user “Likes” and five pages of comments.
12895053092?profile=RESIZE_400xXeon post on a cybercriminal forum

Another incarnation of the tool is hosted on a webserver with a GUI. This hosting method removes a potential barrier to access, enabling lower-skilled actors who may not be comfortable running Python tools and troubleshooting their dependencies.


12895054481?profile=RESIZE_400xSMS sender panel hosted on a web server

Analysts also identified a version called SVG SMS attributed to Savage Benz, aka @spamsznon Telegram, which marked another alias for this tool.
12895052074?profile=RESIZE_584xSVG SMS variant of Xeon Sender

Features - Xeon Sender is a tool that lets attackers conduct SMS spam attacks via one of nine bulk SMS providers.  The tool provides a simple CLI for the attacker to communicate with the targeted service provider's backend using APIs, enabling bulk SMS spam attacks with minimal effort.  For the tool to work, the actor must have API keys for the targeted service.  Enabling these service providers’ SMS APIs is an arduous task guided by federal regulations in the United States.  This means actors are likely to seek credentials belonging to accounts that have already undergone the process.

Each service provider-specific action is controlled by a method from the script’s main class.  The methods require several values from the operator:

  • API Key
  • Secret Key
  • AWS Region – for AWS Simple Notification Service (SNS) only
  • Customer ID – for Telesign only, specifies the Telesign account
  • Sender ID – a phone number or name that varies per service provider
  • Message contents – stored in the tool’s config/message.txt
  • List of recipient phone numbers – stored in tool’s config/phone.txt

 

With these values, the tool uses the Python requests library to craft an API request to the targeted service using the credentials or a service-specific module, such as Twilio’s twilio.rest or messagebird in the case of Twilio and MessageBird.  The exception is the Proovl module, which uses a combination of Python’s urllib and manually crafted HTTP headers.  The Proovl request is sent with the user-agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64), often followed by more details about the client, so it should not be relied on for detection engineering purposes.  In each provider-specific function, the request includes the sender ID, the SMS message contents, and one of the phone numbers from the phone.txt list. The script will loop through the phone.txt list until each phone number has been accessed, taking a 50-millisecond sleep between each iteration
12895059464?profile=RESIZE_710xTelesign function in Xeon Sender

In addition to the SMS-sending methods, there are several related utilities, including:

  • Account Checker Tools: Validates credentials for Nexmo and Twilio accounts.
  • Phone Number Generator: This function takes arguments for the Country Code and Area Code, as well as the length of the phone number, and uses the Python random module to generate a phone number of the given length.
  • Phone Checker: This method checks a given phone number against the APILayer.com Number Verification API to see if it is valid.

Xeon Sender lacks the polish to make the tool appeal to more professional applications.  The script contains some error handling, but there is little clarity with specific API calls.  The methods that interact with several SMS providers–including Send99, Plivo, TextBelt, and Nexmo–have conditions for error handling and reporting a status message.  However, several providers–including larger providers such as AWS SNS and Twilio–report only a ‘Success’ message regardless of the request’s outcome or server response HTTP status code.  Further, the developer uses ambiguous variables such as single letters or a letter plus a number, which makes debugging slightly more complex.

Detection Opportunities - Xeon Sender essentially uses provider-specific Python libraries to craft API requests, which presents exciting detection challenges.  Each library is unique, as are the provider’s logs.  It may be difficult for teams to detect abuse of a given service.

To defend against threats like Xeon Sender, organizations should monitor activity related to evaluating or modifying SMS sending permissions or strange changes to distribution lists, such as a large upload of new recipient phone numbers.  For organizations using AWS, this includes calls to the GetSMSAttributes AWS API or changes to existing permissions using calls to SetSMSAttributes. Xeon Sender does not directly handle this, so actors who use Xeon likely use other tools or sources for preliminary survey and credential validation.

Conclusion - Xeon Sender is another tool that gives defenders insight into how actors attack cloud services to send SMS spam, an ongoing trend highlighted in research on tools like SNS Sender and through similar smishing campaigns.  Due to federal regulations and related fees imposed by bulk SMS providers, threat actors are more likely to target accounts belonging to organizations that have already gone through this process than to make accounts independently, not to mention costs for message delivery as a separate financial burden.

Attribution remains open to interpretation in script-based cloud attack tools where one actor can easily put their name inside a tool to replace the previous author.  Despite many actors claiming this tool as their own, we have observed no significant deviations between known versions.  Clear improvements could be made, such as improved status and error handling.  Other tools like AlienFox have evolved as different actors adapt the tools, often bringing improvements.  Actors may ultimately improve on Xeon Sender or roll features into a multi-tool that covers more attack categories.

Indicators of Compromise:

Xeon Sender SHA-1
078e90c959e3290a4f716fbf4e1d09fe46aaa68b
08d7091b7a9907a6f5894f31cd34e3e8e11cc026
3597915cfbbcc7ea135bf889a89bff635c825e0d
4863a15f85cd0f16ad65434de2122324c04a868a
4e6e8b074943c7fab3206ddb0abf571ffaf68523
9b01d82ceb710df3f51e52a1726b0cda85b47672
ac1d71228114bd95647683e842d42e81a6e97a88
bff95ff87e4081386a6ce6b8289e1524a4a4bd47
e0981369347062ac7f3eb32b833eb4264577e073
f192bb0e141c48e5b0bf46083e30823ea58e8bb3

Xeon Sender Archive SHA-1
a19db8716c39454bf363327441dc2e5f46810c30
33c622345804b46d0494f83720fad45ec0df3e97
7a7d57ed5f24772afa07ad24313ace5d84646a49

 

This article is shared at no charge and is for educational and informational purposes only.

We want to thank Sentinel Labs for this report.  Their collection and analysis is excellent.  Red Sky Alliance provides Cyber Threat Analysis and Intelligence Services for our clients.  We provide valuable indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://www.sentinelone.com/labs/xeon-sender-sms-spam-shipping-multi-tool-targeting-saas-credentials/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!