Priya PatelTLDR:
- Infoblox has released new research revealing a large-scale criminal affiliate program led by threat actor VexTrio.
- VexTrio is a cybercriminal broker that operates traffic distribution systems (TDS) to route users to malicious websites.
- The network involves more than 60 cybercriminal affiliates and has delivered high volumes of malware to networks in Australia, New Zealand, and globally.
- VexTrio has evaded detection and built a unique partner program, making it one of the largest malicious networks targeting internet users.
Infoblox, a network security company, has published research uncovering a massive criminal affiliate program led by threat actor VexTrio. The program involves more than 60 cybercriminal affiliates and has delivered large quantities of malware and other malicious content to networks in Australia, New Zealand, and around the world. VexTrio, which was formed over six years ago, operates as a cybercriminal broker and uses traffic distribution systems (TDS) to direct users to malicious websites based on their device, operating system, location, and other characteristics. Despite its activities, VexTrio has largely avoided detection and has established a unique partner program. The report highlights that VexTrio is the most pervasive threat in Infoblox customers’ networks, operating in over 50% of networks in the past two years. The threat actor has close partnerships with its affiliations, providing dedicated servers to each one. Two of its largest affiliates, ClearFake and SocGholish, are responsible for presenting website visitors with harmful content and injecting malicious JavaScript into vulnerable websites, respectively. VexTrio is also known for operating SMS scams where it sells victims’ phone numbers to other cybercriminals. The network is a DNS attacker, with over 70,000 malicious domains. Its most common attack method is the “drive-by compromise,” where vulnerable WordPress websites are compromised and malicious JavaScript is injected into the pages. The script contains traffic distribution systems that redirect victims to malicious infrastructure and collect information like their IP addresses. The report suggests that blocking VexTrio at the DNS level can disrupt and protect against a wide range of cybercriminal activities. With over 90% of malware relying on DNS at some stage, it is crucial for Australian organizations to understand how DNS threat actors like VexTrio operate.
