VexTrio: The Uber of Cybercrime – Brokering Malware for 60+ Affiliates

The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive “criminal affiliate program,” new findings from Infoblox reveal.

The latest development demonstrates the “breadth of their activities and depth of their connections within the cybercrime industry,” the company said, describing VexTrio as the “single largest malicious traffic broker described in security literature.”

VexTrio, which is believed to be have been active since at least 2017, has been attributed to malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content.

This also includes a 2022 activity cluster that distributed the Glupteba malware following an earlier attempt by Google to take down a significant chunk of its infrastructure in December 2021.

In August 2023, the group orchestrated a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary command-and-control (C2) and DDGA domains.

What made the infections significant was the fact that the threat actor leveraged the Domain Name System (DNS) protocol to retrieve the redirect URLs, effectively acting as a DNS-based traffic distribution (or delivery or direction) system (TDS).

VexTrio is estimated to operate a network of more than 70,000 known domains, brokering traffic for as many as 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh.

“VexTrio operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate,” Infoblox said in a deep-dive report shared with The Hacker News. “VexTrio’s affiliate relationships appear longstanding.”

Not only can its attack chains can include multiple actors, VexTrio also controls multiple TDS networks to route site visitors to illegitimate content based on their profile attributes (e.g. geolocation, browser cookies, and browser language settings) in order to maximize profits, while filtering out the rest.

These attacks feature infrastructure owned by different parties wherein participating affiliates forward traffic originating from their own resources (e.g., compromised websites) to VexTrio-controlled TDS servers. In the next phase, this traffic is relayed to other fraudulent sites or malicious affiliate networks.

“VexTrio’s network uses a TDS to consume web traffic from other cybercriminals, as well as sell that traffic to its own customers,” the researchers said. “VexTrio’s TDS is a large and sophisticated cluster server that leverages tens of thousands of domains to manage all of the network traffic passing through it.”

The VexTrio-operated TDS comes in two flavors, one which is based on HTTP that handles URL queries with different parameters, and another based on DNS, the latter of which began to be first put to use in July 2023.

It’s worth noting at this stage that while SocGholish (aka FakeUpdates) is a VexTrio affiliate, it also operates other TDS servers, such as Keitaro and Parrot TDS, with the latter acting as a mechanism for redirecting web traffic to SocGholish infrastructure.

According to Palo Alto Networks Unit 42, Parrot TDS has been active since October 2021, although there is evidence to suggest that it may have been around as early as August 2019.

“Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server,” the company noted in an analysis last week. “This injected script consists of two components: an initial landing script that profiles the victim, and a payload script that can direct the victim’s browser to a malicious location or piece of content.”

The injections, in turn, are facilitated by the exploitation of known security vulnerabilities in content management systems (CMS) such as WordPress and Joomla!

The attack vectors adopted by the VexTrio affiliate network for gathering victim traffic is no different in that they primarily single out websites running a vulnerable version of the WordPress software to insert rogue JavaScript into their HTML pages.

In one instance identified by Infobox, a compromised website based in South Africa was found to be injected with JavaScript from ClearFake, SocGholish, and VexTrio.

That’s not all. Besides contributing web traffic to numerous cyber campaigns, VexTrio is also suspected to carry out some of its own, making money by abusing referral programs and receiving web traffic from an affiliate and then reselling that traffic to a downstream threat actor.

“VexTrio’s advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy,” Infoblox concluded.

“Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years.”