CTI Roundup: Xeon Sender Targets Cloud APIs and MoonPeak Malware Updates

In this week’s roundup, CTI looks at a tool called Xeon Sender which is now being used for SMS phishing and spam campaigns. Next, CTI examines the latest infrastructure from a group of state-sponsored North Korean actors tracked as UAT-5394. Finally, CTI investigates a large-scale extortion campaign that exploits publicly accessible environment variable (.env) files containing credentials associated with cloud and social media applications.

1. Xeon Sender targets cloud APIs

A threat actor was recently observed using a cloud attack tool called Xeon Sender in SMS phishing and spam campaigns.

Xeon Sender — also known as XeonV5 and SVG Sender — allows threat actors to distribute messages through different SaaS providers using valid credentials. The tool uses multiple service providers including Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio.

Xeon Sender has been around since at least 2022 and is currently being distributed on Telegram. Another version is hosted on a web server with a GUI, which allows lower-skilled actors to access and use the tool.

How Xeon Sender works

According to Sentinel One, Xeon Sender has a simple CLI which enables the actor to communicate with the service via APIs and execute attacks with little effort. In order for the actor to use the tool, they must have the appropriate API keys for the targeted service.

Each provider requires multiple values from the operator or actor including the API key, secret key, AWS region for AWS SNS, customer ID for Telesign, sender ID, message contents, and a list of targeted phone numbers stored in a text file. These values are used in an API request to the targeted service. The script loops through the text file of phone numbers until each phone number is accessed, taking a 50-millisecond sleep in between each iteration of the loop.

Related utilities

Xeon Sender has other related utilities in addition to the different SMS-sending methods. For example, account checker tools will validate credentials for Nexmo and Twilio accounts. In addition, it has a phone number generator that will use Python to generate a number of a given length. It also has a phone checker that will scan a phone number against APILayer[.]com’s Number Verification API to confirm a number is valid.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This tool makes use of legitimate services to carry out bulk operations, which makes detection more difficult.

The use of legitimate services is surging right now, with various strains of ransomware and malware abusing legitimate services to evade detection.

2. Cisco Talos reveals UAT-5394 infrastructure

Cisco Talos is sharing details of infrastructure that is believed to be used by a state-sponsored North Korean group of actors tracked as UAT-5394.

The infrastructure has ties to a campaign that uses a variant of the XenoRAT malware called MoonPeak. The actor is using virtual machines to test the malware before deployment and has recently pivoted away from the use of legitimate cloud services.

UAT-5394 infrastructure

Researchers discovered a handful of new servers while mapping the campaign’s infrastructure. The infrastructure includes remote access and C2 servers, sites to host payloads, and virtual machines for testing the malware before distributing it.

Shifting away from cloud services

According to Cisco Talos, the actor is no longer using legitimate cloud storage providers to host payloads. In June, the actor started using its own servers and systems. Cisco Talos explores many of the servers leveraged in the attack in its report for those who are interested in more technical details.

Virtual machines for testing

Part of this actor’s latest infrastructure includes virtual machines that are hosted on public IPs. These have been observed reaching out to various MoonPeak C2 servers over ports that are configured in the malware itself.

Cisco Talos determined that two virtual machines were used to test MoonPeak infections over ports 9966, 9936, 8936, and 9999. A third machine was also used to test infections but served a dual purpose and was also used to RDP into C2 servers. This is an uncommon technique.

Evolution of MoonPeak malware

Based on its analysis of recent MoonPeak samples, Cisco Talos determined that the malware has been evolving over time.

This evolution aligns with the new infrastructure and with the testing that occurs via virtual machines. Each new sample of the malware introduces slightly more obfuscation and small variations in communications.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The main takeaway is that the actor has shifted from hosting payloads on legitimate cloud storage providers to using servers and systems that they control. This shift is the opposite of what security researchers have been observing across the threat landscape. More and more actors seem to be leveraging legitimate cloud services in campaigns to blend in and evade detection.

At this point, it’s unclear as to why the actor is resorting back to traditional hosting methods. It will be interesting to see if this shift works out well for this actor or if they will pivot again.

3. Attackers leverage public .env files to extort victims

Palo Alto uncovered a large-scale extortion campaign that takes advantage of publicly accessible .env files containing credentials associated with cloud and social media applications.

The campaign sets up its attack infrastructure within the compromised organizations’ AWS environments and uses them as a launchpad to scan targets for data of interest.

Initial access and discovery

This campaign was the result of exposed AWS IAM access keys that were obtained from publicly exposed .env files. The actors obtained these keys by scanning for .env files hosted on unsecure web apps and used the keys to access the hosting cloud environment.

For discovery, the actor performed different API calls to learn what they could about the environment and identify services to exploit including IAM, Security Token Service (STS), S3, and Simple Email Service (SES).

Privilege escalation

The actor in this campaign realized that the original IAM credential that was used to gain initial access into the environment did not have admin access to all cloud resources but did have permissions to create new IAM roles and attach IAM policies to roles. With this, the actor was able to escalate privileges within the cloud environments.

Execution

After escalating privileges, the actor tried to create two different infrastructure stacks: one using AWS and the other using AWS Lambda.

The actor failed to create a security group, key pair, and EC2 instance. However, they were successful at creating several lambda functions with the IAM role they previously created.

Impact

The threat actor created and leveraged a lambda function to scan a list of domains to look for misconfigured and/or exposed .env files. Some of the .env files contained multiple variables that gave the actor information about multiple services within an environment.

Palo Alto categorizes the credentials identified within these files based on application type and found that application credentials are the most common. They identified more than 90,000 unique combinations of leaked variables that had access keys or IAM credentials.

Exfiltration

Aside from exploiting .env files, the actor was also observed exfiltrating data from S3 buckets with the help of the S3 browser tool.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign is a reminder that threat actors have an increased interest in cloud environments. What’s interesting is that this campaign does not exploit a vulnerability for initial access, and instead simply looks for the accidental exposure of .env files on unsecured web applications. Considering this, defenders have an opportunity to protect against this attack.

In its post, Palo Alto offers recommendations for reducing the risk of this attack.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.