Cybersecurity researchers at Infoblox have revealed new findings regarding VexTrio. VexTrio is a “large-scale criminal affiliate program” and the team says its client list includes more than 50 criminal organizations.
As described by the researchers, VexTrio is a complex and large-scale traffic guidance system (TDS). This works similarly to a legitimate marketing affiliate network, with the attacker directing the victim's traffic from their own services (such as her compromised website) to her TDS server under VexTrio's control. To do.
VexTrio forwards it to other affiliate networks and web pages, or to its own active phishing campaigns.
kingpin
Researchers began tracking the network via DNS in 2020, but claim the project was probably started in 2017, if not earlier. He has over 60 affiliates participating in this program, including well-known companies such as SoCGholish and ClearFake. Some affiliates also operate their own TDS, the researchers explained. In some cases, you may try to monetize your campaigns by keeping the traffic related to your efforts and relaying the rest.
VexTrio's operation is unique in that it provides each affiliate with a small number of dedicated servers, the company said. The partnership is healthy and has been for years, as are some of its affiliates such as SoCGholish and ClearFake. The researchers further explained that VexTrio's attack chain could involve multiple attackers. “We observed four attackers in a series of attacks,” they said.
In some cases, VexTrio and its affiliates are abusing referral programs associated with McAfee and Benaughty.
“Due to the complex design and complex nature of affiliate networks, accurate classification and attribution is difficult to achieve. This complexity has allowed VexTrio to thrive in obscurity in the security industry for over six years. ,” said Renee Burton, Director of Threat Intelligence. she told Infoblox hacker news. For Burton, VexTrio is believed to be “a central figure in cybercrime organizations” and that “global consumer cybercrime thrives because these traffic brokers go unnoticed.”
Therefore, blocking VexTrio traffic in DNS means blocking all associated crimes, “regardless of what they are and whether you know about them or not.”
