Keypoints
- VexTrio operated as a traffic distribution system (TDS) since 2017 and is linked to threat actors such as ClearFake and SocGholish.
- Infoblox initially provided 23 domain/subdomain IoCs; WhoisXML API expanded analysis to find 504 connected web properties across multiple data sources.
- Investigative steps included bulk WHOIS, WHOIS History, reverse WHOIS, DNS lookups, IP geolocation, reverse IP, Threat Intelligence API, screenshot checks, and domain/subdomain discovery.
- Analysis found 13 IP addresses (10 flagged malicious), 37 email-connected domains, 207 IP-connected domains (18 malicious), and 247 string-connected domains.
- Threat Intel associated several IPs with C2, malware, phishing, and suspicious activity (examples: 45.11.27.62 as C2; 104.21.64.9 with malware/phishing).
- Evidence of platform impersonation included 31 domains/subdomains containing “tiktok.” and use of URL shortening services in campaigns.
- Findings highlighted registrar and geolocation patterns (most domains created in 2023; many hosted in the U.S.; Cloudflare hosted several IPs).
MITRE Techniques
- [T1583.001] Domains – Threat actors registered and used multiple domains/subdomains as infrastructure to host or redirect to malicious content. (‘They were administered by six registrars…’,’They were created in 2023′ )
- [T1596] Search Open Websites/Domains – Investigators used WHOIS History and reverse WHOIS to find related email addresses and connected domains. (‘WHOIS History API queries… led to the discovery of 19 email addresses’)
- [T1566] Phishing – Actors impersonated legitimate platforms (TikTok and URL shorteners) to lure victims. (‘tiktok[.]megastok[.]top’, ‘tiktok.[…] entries and use of TinyURL, t.co, and is.gd’)
- [T1071] Application Layer Protocol – Infrastructure was associated with command-and-control and malware activities over standard protocols on hosted IPs. (’45[.]11[.]27[.]62′ labeled ‘C2’ and other IPs shown as ‘Malware’ or ‘Phishing’)
- [T1036] Masquerading – Subdomains and domains were crafted to mimic legitimate services and brands to evade detection. (‘tiktok.’-containing subdomains and use of URL-shortening services for redirection)
Indicators of Compromise
- [Domain IoCs] initial and related malicious domains – tiktok[.]megastok[.]top, megastok[.]top, and 22 other domain IoCs identified by Infoblox and expanded by WhoisXML API
- [Subdomain IoCs] impersonation subdomains – tiktok[.]superbowsm[.]top, tiktok[.]tomorrows[.]top (used to mimic TikTok)
- [IP addresses] malicious hosting and C2 – 45[.]11[.]27[.]62 (C2), 185[.]155[.]184[.]32 (Malware), and other flagged IPs such as 104[.]21[.]64[.]9
- [IP-connected domains] domains resolving to malicious IPs – assistpayout[.]org, jqueryns[.]com, and other IP-connected domains linked to malware/C2
- [String-connected domains] domains sharing IoC text strings – examples starting with antibotcloud., clicksme., tomorrows., and 244 other string-matched domains
Starting from the 23 domains identified by Infoblox, researchers performed a staged infrastructure pivot: bulk WHOIS lookups established registrar, creation date, and registrant country patterns (most domains created in 2023, major registrar NameSilo, and many U.S.-registered). WHOIS History API queries produced historical registrant emails (19 unique, seven public), and reverse WHOIS expanded those to 37 email-connected domains; screenshot checks confirmed only two of those remained live (both for sale).
DNS lookups for the IoCs resolved to 13 unique IPs; IP geolocation and ASN lookup mapped those IPs across six countries and six ISPs (Cloudflare accounting for eight IPs). Threat Intelligence API flagged 10 IPs with associations to C2, malware, phishing, or suspicious activity (examples: 45.11.27.62 as C2; 104.21.64.9 with malware/phishing). Reverse IP queries yielded 207 IP-connected domains, of which 18 were linked to malicious activity by threat feeds (examples: assistpayout[.]org, searchgear[.]pro, jqueryns[.]com).
Finally, string-based domain discovery produced 247 domains that contained textual elements from the original IoCs, and targeted searches for “tiktok.” revealed 25 tiktok-containing subdomains and six tiktok-containing domains created around the campaign timeframe. In total the expansion produced 504 connected web properties (37 email-connected domains, 13 IPs, 207 IP-connected domains, 247 string-connected domains) with 28 assets flagged malicious—demonstrating a repeatable investigative workflow combining WHOIS, DNS, reverse lookups, threat intelligence, and screenshot validation.
Read more: https://circleid.com/posts/20240313-following-the-vextrio-dns-trail