VexTrio: Cybercrime’s Uber – Trading Malware for More Than 60 Affiliates

As part of an extensive “criminal affiliate program,” the threat actors behind ClearFake, SocGholish, and numerous other actors have partnered with another organization called VexTrio, according to recent Infoblox research.

The business defined VexTrio as the “single largest malicious traffic broker described in security literature,” and stated that the most recent development shows the “breadth of their activities and depth of their connections within the cybercrime industry.”

Malicious campaigns that leverage domains produced by a Dictionary Domain Generation Algorithm to spread frauds, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content have been linked to VexTrio, which is thought to have been active since at least 2017.

This includes a cluster of activities in 2022 that disseminated the Glupteba malware after Google attempted to take down a sizable portion of its infrastructure in December 2021.

The organization also planned a large-scale attack in August 2023 using WordPress websites that were hijacked and conditionally redirected users to DDGA and intermediate command-and-control (C2) domains.

As the threat actor used the Domain Name System (DNS) protocol to obtain the redirect URLs, functioning as a DNS-based traffic distribution (or delivery or direction) system, the infections were noteworthy.

It is estimated that VexTrio runs a network of over 70,000 registered domains and brokers’ traffic for up to 60 affiliates, such as TikTok Refresh, SocGholish, and ClearFake.

The Hacker News was informed by Renée Burton, Infoblox's head of threat intelligence, that while the exact method of recruiting affiliates is currently unknown, there is a possibility that the VexTrio actors are promoting their services in dark web forums or at the very least, have a method by which other cyber criminals can contact them.

Infoblox published a deep-dive analysis with the magazine that stated, “VexTrio uniquely operates their affiliate program, providing a small number of dedicated servers to each affiliate. VexTrio's affiliate relationships appear longstanding.”

In addition to having several actors in its assault chains, VexTrio also has multiple TDS networks, which it uses to direct site users to illegal information according to their profile traits while screening out legitimate content. This allows it to maximize revenues.

These assaults use infrastructure that is owned by several parties, with participating affiliates forwarding traffic to TDS servers under VexTrio's control that originates from their resources. This traffic is redirected to more bogus websites or malevolent affiliate networks in the following stage.

“VexTrio's network uses a TDS to consume web traffic from other cyber criminals, as well as sell that traffic to its customers,” the researchers said. “VexTrio's TDS is a large and sophisticated cluster server that leverages tens of thousands of domains to manage all of the network traffic passing through it.”

There are two versions of the VexTrio-operated TDS: an HTTP-based version that supports URL queries with various parameters, and a DNS-based version that was initially implemented in July 2023.

At this point, it's important to note that, although operating TDS servers Keitaro and Parrot TDS, which serve as a means of rerouting web traffic to SocGholish infrastructure, SocGholish (also known as FakeUpdates) is an affiliate of VexTrio.

“There is no evidence that VexTrio is using Parrot TDS," Burton said. "VexTrio is significantly older than Parrot – it is the oldest known TDS – and they operate their software. VexTrio affiliates, like SocGholish, analogous to the legitimate marketing world, may leverage different platforms to distribute traffic and make money. It is more likely that Parrot TDS goes to VexTrio TDS but we haven't analyzed that traffic flow.”

Parrot TDS has been operational since October 2021, according to Palo Alto Networks Unit 42, while there is evidence that it might have existed as early as August 2019.

In an investigation released last week, the business stated that “Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. This injected script consists of two components: an initial landing script that profiles the victim, and a payload script that can direct the victim's browser to a malicious location or piece of content.”

In turn, the injections are made easier by taking advantage of security flaws in content management systems (CMS) like Joomla and WordPress!

Similar to other affiliate networks, the VexTrio network uses attack vectors to harvest victim traffic. These vectors mostly target websites that are using a vulnerable version of WordPress and inject malicious JavaScript into HTML pages.

In one case that Infobox discovered, JavaScript from ClearFake, SocGholish, and VexTrio was discovered to have been injected into a compromised South African website.

But that's not all. VexTrio is accused of running some of its cyber-attacks in addition to providing online traffic to several others. The company allegedly makes money by abusing referral systems, obtaining web traffic from affiliates, and reselling that traffic to threat actors further down the chain.

“VexTrio's advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy,” Infoblox said.

“It is challenging to accomplish accurate categorization and attribution because of the affiliate network's intricate architecture and entangled structure. Due to its intricacy, VexTrio has thrived for more than six years while going unnamed in the security sector.”

Burton went on to call VexTrio the “kingpin of cybercrime affiliations,” adding that “these traffic brokers go unnoticed, which allows global consumer cybercrime to thrive.” On the other hand, you can prevent all connected crimes by banning VexTrio traffic in DNS, regardless of what it is or whether you are aware of it.