More than 70,000 presumably legit websites have been hijacked and drafted into a network that crooks use to distribute malware, serve phishing pages, and share other dodgy stuff, according to researchers.
This mesh of compromised sites is known as VexTrio, and has been mostly flying under the radar since its inception in 2017 or earlier, though lately more details about the operation have emerged.
The process is simple, and mirrors the traffic distribution systems, or TDSes, that the marketing world uses to direct netizens to particular sites based on their interests or similar.
In the case of VexTrio, tens of thousands of websites are compromised so that their visitors are redirected to pages that serve up malware downloads, show fake login pages to steal credentials, or perform some other fraud or cyber-crime.
It's said at least 60 affiliates are involved in the network in some way.
Some partners provide the compromised websites, which send marks to VexTrio's own TDS infrastructure, which in turn directs those victims' browsers to harmful pages.
The TDS typically only redirects people if they meet certain criteria.
VexTrio takes a fee from the crooks running the fraudulent sites for directing web traffic their way, and the miscreants who provided the compromised websites in the first place get a cut.
We're told the TDS also sends netizens to scam websites operated by the VexTrio crew itself, allowing the criminals to profit directly from their fraud.
Of the TDS crew's 70,000-odd known domains, references or links to almost half were apparently spotted in those customers' networks.
In its technical report, co-written by McEoin and staff researcher Christopher Kim, Infoblox disclosed signs of compromise that you can look out for on your own IT environments.
The security shop has been tracking VexTrio for two years, and first flagged up the group in June 2022.
Interestingly enough, and perhaps as an indicator of the TDS's reach, one strain of malware pushed via VexTrio is SocGholish, aka FakeUpdates, which topped Check Point's list of the most prevalent malware in January, affecting four percent of observed organizations worldwide.
This downloader even outpaced Qbot last month, which had a global impact of three percent, we're told.
Which is written in JavaScript, is usually triggered when visiting a compromised website, and targets Windows machines, pretends to offer a browser update that when accepted and run by a mark infects their PC with backdoor malware, ransomware, and other stuff.
In January, SocGholish was observed bringing GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult onto victims' machines.
Infoblox said the info-stealing ClearFake malware, documented here by McEoin, is also pushed via VexTrio.
The security firm bases this info on about 200 ransomware groups' leak sites, and these aren't always the most reliable measure of which organizations have suffered infections, and by whom.
Victims' names are frequently removed by the crims during negotiations, or sometimes they never even make the sites if they pay up quickly.
According to Check Point's metrics: LockBit3 was responsible for 20 percent of the claimed attacks, followed by 8Base with 10 percent, and Akira with nine percent.
This Cyber News was published on go.theregister.com. Publication date: Sat, 10 Feb 2024 04:13:03 +0000