Xeon Sender is a Python-based tool that enables SMS spam campaigns by leveraging legitimate APIs from multiple SaaS providers. Since first seen in 2022, it has been repurposed by various actors for smishing campaigns, often distributed via Telegram and hacking forums. #XeonSender #SavageBenz
Keypoints
- Tool name and aliases: Xeon Sender (also known as XeonV5, SVG Sender).
- First seen in 2022, with multiple threat actors repurposing the tool and adding their credits.
- Primary function: sends SMS messages en masse for spam and phishing (smishing) campaigns.
- Nine service providers supported (e.g., Amazon SNS, Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, Twilio).
- Distribution channels include Telegram and various hacking forums.
- Detection challenges arise from provider-specific libraries and varying logs across services.
- Defense emphasis: monitor changes to SMS permissions and distribution lists, and note AWS SMS API usage (GetSMSAttributes/SetSMSAttributes) as potential indicators.
MITRE Techniques
- [T1078] Valid Accounts – Access SaaS providers using stolen credentials. ‘Actors may use stolen credentials to access SaaS providers for sending SMS spam.’
- [T1203] Exploitation for Client Execution – Use legitimate APIs to perform bulk SMS sending. ‘Utilizes legitimate APIs to execute bulk SMS sending.’
- [T1071] Application Layer Protocol – Communicate with SaaS providers via HTTP requests. ‘Communicates with SaaS providers using HTTP requests.’
- [T1499] Endpoint Denial of Service – Overwhelm recipients with spam messages, causing disruption. ‘Can overwhelm recipients with spam messages, causing disruption.’
Indicators of Compromise
- [SHA-1] Xeon Sender binaries – 078e90c959e3290a4f716fbf4e1d09fe46aaa68b, 08d7091b7a9907a6f5894f31cd34e3e8e11cc026, and other 8 hashes
- [SHA-1] Xeon Sender Archive – a19db8716c39454bf363327441dc2e5f46810c30, 33c622345804b46d0494f83720fad45ec0df3e97, and 1 more hash
- [File Path] Config files – config/message.txt, config/phone.txt