VexTrio is a massive and complex malicious TDS organization.
It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network.
While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown.
Two of the affiliates, for example, are ClearFake and SocGholish - both known through their malware.
VexTrio is purely a traffic broker not tied to or recognized by any malware.
Infoblox, a network visibility and control firm, has been tracking VexTrio for nearly two years, but has only more recently come to understand the extent of the operations.
There appears to be a stable relationship between affiliates and VexTrio: SocGholish has partnered with VexTrio for nearly two years at least, while ClearFake has had such a partnership throughout its lifetime.
A TDS system is commonly used to connect visitors and targeted advertising based on discovered characteristics of the visitor.
A malicious TDS uses the same principles to connect visitors and malicious websites or pages.
Others will use some of the opportunities and send the rest to VexTrio, depending on the visitor.
The most common method of collecting traffic used by the affiliates is a drive-by compromise targeting vulnerable WordPress sites.
Malicious JavaScript is injected into the HTML pages.
The complexity of the JavaScript varies between the affiliates, but it typically acts as a redirect to VexTrio servers.
In this case, VexTrio rewards the affiliates on a first come, first served basis.
VexTrio consequently combines traffic from multiple affiliates with traffic garnered from its own TDS network.
VexTrio has become a major broker in the criminal underworld.
VexTrio has been a prolific actor using DNS to carry out attacks across the globe.
Recently, notes Infoblox, VexTrio has migrated a large portion of its infrastructure to shared hosting providers, making them more difficult - but not impossible - to track.
The researchers purposely activated a VexTrio campaign known as robot Captcha, with no immediate effect.
The complex business model operated by VexTrio has enabled it to remain nameless for the last six years.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 23 Jan 2024 22:43:06 +0000