Large volumes of malware and other malicious content are being delivered to networks in APAC, Australia, New Zealand and around the world as a result of a set of large-scale malicious cybercriminal partnerships led by the largely secret but insidious threat actor, VexTrio.
Renée Burton, head of threat intelligence at Infoblox and former top executive at the US National Security Agency, told TechRepublic that VexTrio's international network includes relationships with ClearFake, SocGholish, and more than 60 other clandestine affiliates.
Burton recommends that the cybersecurity industry in the region focus more on discovering and removing secret middle layer actors like VexTrio, rather than endpoint malware or phishing threats, and implement naming system protective measures domain name to block malicious domains.
What is VexTrio and why are Australia and APAC in your sights?
Formed over six years ago, VexTrio has been revealed by Infoblox as one of the world's largest and oldest brokers of malicious web traffic targeting enterprise and consumer Internet users. Infoblox estimates that the VexTrio threat will have been worth $10 trillion in 2023 (A$15 trillion), and is projected to increase to $25 trillion (A$38 trillion) by 2025.
VexTrio acts as a traffic distribution system, a term taken from similar web traffic services in the marketing world. Users attracted through its network of international affiliates are transferred to other criminal entities, where they can be attacked with malware and phishing (Figure A).
Infoblox's investigation revealed that VexTrio has formed strategic partnerships with SocGholish and ClearFake, which use malicious JavaScript frameworks, as well as more than 60 other underground affiliates. SocGholish is considered one of the top three global threats today.
VexTrio wants consumer and business internet users in APAC and Australia
Burton said Australian and New Zealand business and consumer internet users in APAC are at risk because, unlike some threat actors who have a tendency not to target certain countries or regions, VexTrio was essentially “after the internet.” “, including in APAC and Australasia.
SEE: Australian organizations need to stay on top of these cybersecurity trends.
Operating in 32 languages, revealed through the network's use of automated capture to identify the language of a user's browser, Burton said there is a volume of complaints coming from the region. He said that users in Japan in particular are a source of a large number of complaints.
“If you think about one of the main ways that VexTrio and its affiliates get their initial victims, one of the main ways is through WordPress compromise,” Burton said. “They search the Internet for websites that are vulnerable to carrying out different types of attacks. “They don’t care where they are.”
Opening a limited window into global cybercrime operations
VexTrio's partial presentation is a window into how cybercrime operates globally and in APAC. While cybercriminals are often portrayed as gangs of hackers or brilliant, solitary coders, they more often “buy and sell goods and services as part of a broader criminal economy.”
“Some actors sell malware services, and malware-as-a-service allows buyers to easily access the infrastructure to commit crimes,” Burton said. “These service providers also form strategic partnerships, similar to those done by legitimate companies, to expand the boundaries of their operations.”
However, “such relationships are forged in secret and can include multiple partners,” he said, making them difficult to untangle and understand from an outside perspective. Burton said that despite having some knowledge about VexTrio, his identity and location remains a mystery.
What are the common signs of a VexTrio attack on a company?
The most common attack method deployed by VexTrio and its affiliates is a “induced compromise,” where actors compromise vulnerable WordPress websites and inject malicious JavaScript into their HTML pages. This script typically contains a TDS that redirects victims to a malicious infrastructure and collects information such as their IP address.
Often, Burton said business users find these pages through Google search results, and VexTrio-affiliated websites are at the top of search results and send employees “to a rabbit hole.” Once they have compromised a machine, and particularly through Chrome browser extensions, they can send “anything they want,” including phishing emails.
Users who have been attacked via VexTrio typically report seeing many ads and pop-ups and/or no longer being able to control their browsers after being attacked. Your credentials or financial information may be stolen.
What can APAC IT professionals do to protect themselves from VexTrio?
Infoblox has called for more industry class actions targeting intermediaries like VexTrio rather than target malware or phishing pages, which have the ability to “rotate from left to right.” He said that's where the industry is focused and not on traffic distribution systems.
PREMIUM: Companies may want to develop a security risk assessment checklist.
“As an industry, whether it's among governments or commercial companies, we really focus on malware: there are classes on malware, conferences on malware,” Burtons said. “We don't focus on infrastructure. Most products work at the endpoint, firewall and IP security layer.”
Burton added that education had been successful in cases such as the business email compromise. He said it could be implemented in a similar way to warn users against typical VexTrio-related threats, such as saying no when pop-ups appear asking users to allow them to show notifications.
Implement available DNS protection mechanisms
Infoblox defines Protective DNS as any security service that analyzes DNS queries and takes steps to mitigate threats by leveraging the existing DNS protocol and architecture. It can prevent malware, ransomware, and phishing attacks at the source, improving network security.
Burton said countries like Australia had a history of offering protective DNS for free, and if this effort expanded or there was greater adoption, TDS domains could be blocked. This would stop threats at the middle layer, regardless of the malware on the endpoint or the phishing page.
He recommended that APAC-based IT professionals use DNS protector software that is available for commercial use to monitor threats at the DNS level, whether they come from their local governments, commercial vendors, or “developing their own.”
