Exposing VexTrio: Unraveling the Web of a 70,000-Site Cybercrime Empire

Exposing VexTrio: Unraveling the Web of a 70,000-Site Cybercrime Empire. VexTrio TDS: Uncovering a Vast 70,000-Domain Cybercrime Scheme. An extensive cybercrime network called ‘VexTrio’, a traffic distribution system (TDS) unknown until recently, has been facilitating the illegal activities of 60 affiliates via a colossal network of 70,000 websites since at least 2017.

Traffic Distribution Systems are mechanisms that reroute incoming web traffic to different destinations based on various factors such as the visitor’s device, geographic location, IP address, and operating system.

While TDSs are legitimately used in affiliate marketing for directing traffic, in the realm of cybercrime, they mislead users to harmful sites, including those hosting malware, phishing pages, and exploit kits.

A notable example is the Parrot TDS, which was recently featured in a Unit 42 investigation, highlighting its ongoing activity and development.

A recent Infoblox report sheds light on VexTrio, a much more expansive TDS operation. VexTrio collaborates with infamous cybercrime campaigns and groups like ClearFake and SocGholish. Active since 2017, VexTrio has established itself as a dominant force in the cybercrime world, orchestrating a vast network central to spreading malicious content.

Owning over 70,000 compromised websites, VexTrio demonstrates its extensive influence, using these platforms to disseminate harmful content across various websites and services.

Exposing VexTrio: Unraveling the Web of a 70,000-Site Cybercrime Empire

These sites are typically compromised by embedding malicious redirection scripts in their HTML, or, in some cases, created by the threat actors themselves using blackhat SEO methods to attract traffic.

Acting as a middleman in the traffic trade, VexTrio monetizes its services by redirecting traffic to the malicious sites of their cybercrime clients.

VexTrio has formed alliances with at least 60 affiliates, who channel traffic from their compromised sites to VexTrio’s TDS servers. Infoblox notes these partnerships are not fleeting, with some lasting up to four years, indicating strong mutual trust and benefit.

One of VexTrio’s affiliates, ClearFake, lures visitors on hacked sites to install fake browser updates, which then infect devices with malware. ClearFake has been collaborating with VexTrio for five months, using the Keitaro service as an intermediary redirection stage.

Similarly, the SocGholish malware campaign has been working with VexTrio since at least April 2022, also utilizing Keitaro TDS for intermediate redirection. SocGholish is known for its use by ransomware groups to breach corporate networks. The intricate and multi-layered attack strategies involving numerous threat actors make tracking and countering VexTrio’s activities difficult.

Moreover, VexTrio and its partners exploit legitimate referral programs to earn revenue, redirecting victims to trusted websites through affiliate links. This blending of their operations with legitimate services complicates the detection of their malicious intentions for both users and security systems.

A deceptive VexTrio campaign called ‘robot CAPTCHA‘ was highlighted in the Infoblox report. In this strategy, visitors to compromised sites are diverted to a fake CAPTCHA test, tricking them into allowing browser push notifications.

These notifications, appearing as authentic alerts or warnings, are sent from VexTrio’s servers, potentially leading victims to referral-generating landing pages. VexTrio even tailors these notifications to the user’s language using JavaScript modules.

Given the intricacy, robustness, and varied revenue channels and infection vectors, completely eliminating VexTrio poses a significant challenge, although identifying and mapping its network is a critical first step.

Infoblox advises users to reduce risk by only visiting SSL-certified websites, blocking browser push notifications, and employing ad-blockers to prevent pop-up ads.

Related Posts:

Hotel front desks are now a hotbed for hackers(Opens in a new browser tab)

Systematic Failure: Unraveling the Puzzle of Problem-Solving at Magna International’s Karmax Heavy Stamping(Opens in a new browser tab)

What Is Cybersecurity?(Opens in a new browser tab)

Cereal Confusion: Unraveling the Truth Behind Misleading Breakfast Product Labels in Canada(Opens in a new browser tab)

15 Hidden Windows 10 Features You Need to Know: Boost Productivity and Efficiency(Opens in a new browser tab)

Connected through code, Choose Your Platform!

About the Author: Bernard Aybout

In the land of bytes and bits, a father of three sits, With a heart for tech and coding kits, in IT he never quits. At Magna's door, he took his stance, in Canada's wide expanse, At Karmax Heavy Stamping - Cosma's dance, he gave his career a chance. With a passion deep for teaching code, to the young minds he showed, The path where digital seeds are sowed, in critical thinking mode. But alas, not all was bright and fair, at Magna's lair, oh despair, Harassment, intimidation, a chilling air, made the workplace hard to bear. Management's maze and morale's dip, made our hero's spirit flip, In a demoralizing grip, his well-being began to slip. So he bid adieu to Magna's scene, from the division not so serene, Yet in tech, his interest keen, continues to inspire and convene.