A new report from Infoblox has uncovered a vast criminal affiliate program involving threat actors ClearFake, SocGholish, and a host of other malicious entities who have formed partnerships with an organization known as VexTrio. This revelation sheds light on the extensive nature of their activities and the depth of their connections within the cybercrime industry, with VexTrio being identified as the “largest malicious traffic broker” described in security literature.
According to the findings, VexTrio, believed to have been active since at least 2017, has been linked to various malicious campaigns that utilize domains generated by a dictionary domain generation algorithm (DDGA) to disseminate scams, spyware, adware, riskware, potentially unwanted programs (PUPs), and pornographic content. The report also highlights a 2022 activity cluster involving the distribution of the Glupteba malware, as well as a widespread attack in August 2023 that targeted compromised WordPress websites to redirect visitors to intermediary command-and-control (C2) and DDGA domains.
What sets the infections apart is the utilization of the Domain Name System (DNS) protocol to retrieve the redirect URLs, effectively establishing a DNS-based traffic distribution system (TDS). VexTrio is estimated to operate a network of over 70,000 known domains, serving as a traffic broker for as many as 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh. The company allocates a small number of dedicated servers to each affiliate, and its affiliate relationships appear to be longstanding.
The report further reveals that VexTrio not only orchestrates attacks involving multiple actors, but it also controls several TDS networks to route visitors to illicit content based on their profile attributes, such as geolocation, browser cookies, and language settings. By doing so, VexTrio maximizes profits while filtering out undesired traffic. The affiliate program operates by forwarding traffic from compromised websites to VexTrio-controlled TDS servers, which are then relayed to fraudulent sites or other malicious affiliate networks.
Furthermore, VexTrio operates a sophisticated TDS cluster server that leverages tens of thousands of domains to manage network traffic. The TDS comes in two versions—one based on HTTP that handles URL queries and another based on DNS, the latter of which was first put to use in July 2023. It should be noted that while SocGholish is a VexTrio affiliate, it operates other TDS servers, such as Keitaro and Parrot TDS, with the latter serving as a mechanism to redirect web traffic to SocGholish infrastructure.
VexTrio’s extensive network is also suspected of carrying out its own cyber campaigns, abusing referral programs, and reselling traffic received from its affiliates to downstream threat actors. The sophisticated business model of VexTrio facilitates partnerships with other threat actors, creating a resilient and sustainable ecosystem that is remarkably challenging to dismantle.
Due to the intricate design and intertwined nature of the affiliate network, the precise classification and attribution of VexTrio’s activities have proven difficult. As a result, the organization has operated relatively anonymously within the security industry for over six years, evading precise identification and classification.
The complexity and resilience of VexTrio’s affiliate network have allowed it to thrive, remaining largely nameless within the security industry for an extended period. The findings underscore the challenges associated with combating such sophisticated cybercriminal operations.
For more exclusive content, follow us on Twitter and LinkedIn.