Scoop has an Ethical Paywall
Work smarter with a Pro licence Learn More

Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search


VexTrio Operates Massive Criminal Affiliate Program

Infoblox has released new research unveiling a set of large-scale malicious cybercriminal partnerships led by insidious threat actor VexTrio. The partnerships involve a more than 60-strong underground affiliate network and are seeing high volumes of malware and other malicious content delivered to networks in Australia, New Zealand and across the globe.

Formed more than six years ago, VexTrio is now one of the world’s largest malicious networks targeting internet users today. It acts as a cybercriminal broker and operates traffic distribution systems (TDS) that route users based on their device, operating system, location, and other characteristics to malicious websites.

VexTrio has largely evaded detection and strengthened its resilience against internet service providers’ efforts to suspend its assets, all while building up a unique ‘partner program’.

“While cybercriminals are often portrayed as gangs of hackers or lone brilliant coders, more often they buy and sell goods and services as part of a larger criminal economy,” said Renée Burton, Head of Threat Intelligence at Infoblox and a former Senior Executive (DISL) with the U.S. National Security Agency (NSA).

Advertisement - scroll to continue reading

Are you getting our free newsletter?

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.

“For example, some actors sell malware services, and malware-as-a-service (MaaS) allows buyers easy access to the infrastructure necessary to commit crimes. These service providers also form strategic partnerships, similar to the way legitimate companies do, in order to extend the limits of their current operations. Such relationships are forged in secret and may include a number of partners, making them difficult to untangle and understand from an outside perspective.”

Key findings from the report include:

  • VexTrio is the single most pervasive threats in Infoblox customers’ networks, active in more than 50 per cent of networks in just the last two years.
  • The threat actor acts as a broker of malicious traffic for more than 60 cybercriminal affiliates.
  • Partnerships tend to be longstanding and operate in a unique way, with VexTrio providing a number of dedicated servers to each affiliate.
  • Despite connecting millions of web users to malicious content for more than six years, VexTrio has largely evaded detection due to its successful business model that feeds on web traffic from its affiliates and has infrastructure built on compromised websites.
  • Two of its largest affiliates are ClearFake and SocGholish; malicious JavaScript frameworks that present website visitors with harmful content and inject malicious JavaScript into vulnerable websites, respectively. SocGholish is widely considered to be one of the top three global threats today.
  • VexTrio is a prolific domain name system (DNS) attacker and has more than 70,000 known malicious domains.

The most common attack method deployed by VexTrio and its affiliates is the ‘drive-by compromise’, where actors compromise vulnerable WordPress websites and inject malicious JavaScript into their HTML pages. This script typically contains a TDS that redirects victims to malicious infrastructure and gathers information such as their IP address. VexTrio also operates SMS scams where it sells victims’ phone numbers to other cybercriminals.

“Although difficult to identify and track, blocking VexTrio at the DNS level can disrupt and protect against a large spectrum of cybercriminal activity,” added Burton.

“This can be achieved through using tailored DNS signatures and statistical-based algorithms to identify VexTrio’s intermediary TDS servers and domains shortly after they’re registered. As Australian organisations look to raise their security posture in the wake of the new Cyber Security Strategy, it’s important to understand how DNS threat actors like VexTrio operate, particularly as more than 90 per cent of malware depends on DNS at some stage of its execution.”

The full report on VexTrio and its affiliate network can be found here.

© Scoop Media

Advertisement - scroll to continue reading
Business Headlines | Sci-Tech Headlines

GenPro: General Practices Begin Issuing Clause 14 Notices

GenPro has been copied into a rising number of Clause 14 notices issued since the NZNO lodged its Primary Practice Pay Equity Claim against General Practice employers in December 2023.More

SPADA: Screen Industry Unites For Streaming Platform Regulation & Intellectual Property Protections

In an unprecedented international collaboration, representatives of screen producing organisations from around the world have released a joint statement.More


Join Our Free Newsletter

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.