Threat Research

Cybercrime Central: VexTrio Operates Massive Criminal Affiliate Program

Infoblox

Cybercriminals are increasingly leveraging Traffic Distribution Systems (TDS) to facilitate their operations, allowing them to efficiently route victims to malicious content. This systematic research uncovers the complex web of affiliations among various actors, including VexTrio, ClearFake, and SocGholish, who collectively contribute to a substantial portion of the cybercrime economy. The findings emphasize the importance of disrupting TDS operations to effectively combat cyber threats. Affected: Cybercrime sector, Internet users, Security researchers.

Keypoints :

  • Cybercriminals operate through a collaborative economy, utilizing services like malware-as-a-service.
  • Researchers have uncovered affiliations among actors such as VexTrio, ClearFake, and SocGholish.
  • These actors utilize Traffic Distribution Systems (TDS) to redirect users to various forms of malicious content.
  • VexTrio is identified as the largest traffic broker in the cybercrime ecosystem with over 60 affiliates.
  • Continual updating of TDS techniques makes detection and blocking difficult for security operations.
  • Blocking TDS domains at the DNS level is a proactive defense strategy against cyber threats.
  • ClearFake and SocGholish are included as significant affiliates impacting users through dishonest software practices.
  • VexTrio’s domain generation strategies adapt quickly, evading traditional detection methods.

MITRE Techniques :

  • T1536 – Dynamic DNS (Procedure: VexTrio has been observed utilizing a DNS-based TDS to dynamically manage traffic based on device characteristics.)
  • T1633 – External Remote Services (Procedure: VexTrio and affiliates invoke traffic redirection to malicious domains for phishing and malware delivery.)
  • T1071 – Application Layer Protocol (Procedure: ClearFake and SocGholish redirect users through legitimate traffic channels to evade detection.)
  • T1102 – Web Service (Procedure: Malicious JavaScript injections are used to alter user navigation and track victims.)

Indicator of Compromise :

  • [Domain] bonustop-price[.]life
  • [Domain] logsmetrics[.]com
  • [Domain] greatbonushere[.]top
  • [Domain] tiktok[.]megastok[.]top
  • [Domain] antibotcloud[.]com

Full Story: https://blogs.infoblox.com/threat-intelligence/cybercrime-central-vextrio-operates-massive-criminal-affiliate-program/