Cybersecurity researchers at Infoblox have revealed new research into VexTrio, a “massive criminal affiliate program” that the team says has more than five dozen criminal organizations on its client list.
As the researchers explained, VexTrio is a complex and massive traffic direction system (TDS). It works similarly to a legitimate affiliate marketing network, in that a threat actor will forward the victim's traffic from their own services (e.g. compromised websites) to a TDS server under VexTrio's control.
VexTrio will then forward you to other affiliate networks or websites, or to their own active phishing campaigns.
Cornerstone
Researchers began tracing the network via DNS in 2020, but argue that the project likely began in 2017, if not earlier. There are over 60 affiliates in the program, including high-profile names like SoCGholish or ClearFake. Some of the affiliates also manage their own TDS, the researchers explain. Sometimes, they will look to monetize their campaigns by keeping traffic relevant to their efforts and streaming the rest.
VexTrio's operation was said to be unique in the way it provides a small number of dedicated servers to each affiliate. The partnerships are healthy, as with some of their subsidiaries, such as SoCGholish and ClearFake, they have been around for years. VexTrio attack chains can include multiple actors, the researchers explained. “We have observed four actors in an attack sequence,” they said.
In some cases, VexTrio and its affiliates abuse referral programs related to McAfee and Benaughty.
“Due to the complex design and tangled nature of the affiliate network, accurate classification and attribution is difficult to achieve. This complexity has allowed VexTrio to thrive while remaining a name in the security industry for over six years,” Renée Burton, head of threat intelligence. on Infoblox, she said Hacker News. For Burton, VexTrio is the “chapter of cybercrime affiliations,” as “cybercrime against consumers globally thrives because these trafficking intermediaries go unnoticed.”
Consequently, blocking VexTrio traffic in DNS means blocking all related crimes, “regardless of what it is and whether you know it.”