Cybersecurity researchers at Infoblox have unveiled new research into VexTrio, a “large-scale criminal affiliate program” that the team says counts more than five dozen criminal organizations on its client list.
As the researchers explain, VexTrio is a complex and massive traffic direction system (TDS). It works similarly to a legitimate marketing affiliate network, in that a threat actor forwards victim traffic from its own services (e.g. compromised websites) to a TDS server under VexTrio’s control.
VexTrio will then forward it to other affiliated networks or web pages, or to its own active phishing campaigns.
Headpin
The researchers started monitoring the network via DNS in 2020, but argue that the project likely started in 2017, if not earlier. There are more than 60 affiliates in the program, including high-profile names like SoCGholish or ClearFake. Some affiliated companies also run their own TDS,” the researchers explain. Sometimes they try to monetize their campaigns by keeping the traffic relevant to their efforts and passing on the rest.
VexTrio’s operation is unique in the way it provides a small number of dedicated servers to each affiliate, it said. The partnerships are healthy, as they have been in place for years with some of its subsidiaries, such as SoCGholish and ClearFake. VexTrio attack chains can involve multiple actors, the researchers further explained. “We observed four actors in an attack sequence,” they said.
In some cases, VexTrio and its affiliates abuse referral programs related to McAfee and Benaughty.
“Due to the complex design and interconnected nature of the connected network, accurate classification and attribution is difficult to achieve. This complexity has allowed VexTrio to thrive even though it remained nameless to the security industry for more than six years,” said Renée Burton, Head of Threat Intelligence. at Infoblox, told The hacker news. For Burton, VexTrio is the “key player in cybercrime,” as “global consumer cybercrime thrives because these traffic brokers go undetected.”
So blocking VexTrio traffic in DNS means blocking all related crime, “regardless of what it is or whether you know about it.”