Cybersecurity researchers from Infoblox have revealed new research on VexTrio, a “massive criminal affiliate program” that the team says counts more than five dozen criminal organizations in its customer list.
As explained by the researchers, VexTrio is a complex, and massive, traffic direction system (TDS). It operates similarly to a legitimate marketing affiliate network, in that a threat actor will forward victim traffic from their own services (for example, compromised websites) to a TDS server under VexTrio’s control.
VexTrio will then forward it to other affiliate networks or web pages, or its own active phishing campaigns.
The researchers started tracking the network via DNS in 2020, but argue that the project probably kicked off in 2017, if not earlier. There are more than 60 affiliates in the program, including high-profile names such as SoCGholish, or ClearFake. Some of the affiliates also run their own TDS’, the researchers explain. Sometimes, they’ll look to monetize their campaigns by keeping the traffic relevant for their efforts, and relaying the rest.
VexTrio’s operation is unique in the way that it provides a small number of dedicated servers to each affiliate, it was said. The partnerships are healthy, as with some of its affiliates, such as SoCGholish and ClearFake, they’ve been going on for years. VexTrio attack chains can include multiple actors, the researchers further explained. “We have observed four actors in an attack sequence,” they said.
In some cases, VexTrio and its affiliates abuse referral programs related to McAfee and Benaughty.
“Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years,” Renée Burton, head of threat intelligence at Infoblox, told The Hacker News. For Burton, VexTrio is the “kingpin of cybercrime affiliations,” as “global consumer cybercrime thrives because these traffic brokers go unnoticed.”
Consequently, blocking VexTrio traffic in DNS means blocking all related crime, “regardless of what it is and whether you know about it.”