This article reveals that multiple malware actors dependent on the VexTrio traffic distribution system (TDS) migrated to the Help TDS, which is closely linked to VexTrio rather than being independent. The research exposes complex affiliations among malicious adtech companies like Los Pollos, Partners House, BroPush, and RichAds, highlighting their role in facilitating widespread cybercrime via compromised websites and push notification scams. #VexTrio #LosPollos #HelpTDS #PartnersHouse #BroPush
Keypoints
- When Los Pollos ceased push monetization in November 2024, multiple malware actors shifted traffic from VexTrio to the Help TDS, which is actually linked to VexTrio and not an independent system.
- DNS TXT record campaigns used by WordPress malware opened new insights into the coordination of these malware actors and their use of distinct C2 infrastructure linked to VexTrio and Help TDS.
- Help TDS and Disposable TDS share codebases, rare scam images, and JavaScript, revealing a long-standing, intertwined relationship with VexTrio.
- Several commercial adtech firms, such as Partners House, BroPush, and RichAds, share rare web resource files and DNS configurations with VexTrio, indicating shared code lineage or partnerships.
- Malicious adtech operators exploit push notification subscriptions using fake CAPTCHAs and lure images, employing technologies like Firebase Cloud Messaging and custom Push API scripts for persistent victim targeting.
- Affiliate networks within VexTrio maintain detailed affiliate information, including identifying malware actors by unique affiliate IDs and vetting affiliates before admission.
- Public identification of many TDS operators was made possible through analysis of DNS patterns, rare web artifacts, and misconfigurations, exposing the complex adtech ecosystem behind major malware campaigns.
MITRE Techniques
- [T1071] Application Layer Protocol – Malware uses DNS TXT records to communicate encoded URLs for command and control, enabling redirection of visitors to malicious content (“in these campaigns, the threat actors used malicious scripts to look up DNS TXT records that contained a Base64-encoded URL”).
- [T1210] Exploitation of Remote Services – WordPress vulnerabilities exploited to compromise websites and redirect visitors through malicious TDSs (“compromised websites all over the world that had been exploited with different WordPress vulnerabilities”).
- [T1098] Account Manipulation – Affiliates are vetted and tracked within adtech networks, maintaining personal info on operators which may be exploited to identify threat actors (“These firms vet network affiliates before allowing them to join… and they maintain personal information about the affiliates and their payments”).
- [T1110] Brute Force – Persistence of malware through automated bot networks that monitor and reactivate disabled malicious plugins (“automated bot networks that actively monitor and reactivate disabled malicious plugins”).
- [T1499] Endpoint Denial of Service – Use of JavaScript preventing navigation away from phishing or scam pages to trap victims (“This script prevents a web user from navigating backward in their browser history… The second script tries to detect when the victim is leaving the current webpage”).
Indicators of Compromise
- [Domain ] Malicious TDS domains linked to VexTrio and affiliates – mvgde[.]mountbliss[.]top, scoretopprizes[.]top, cdsecurecloud-dt[.]com, 702942e07c[.]hotbkebani[.]cc
- [IP Address ] C2 server hosting – 46[.]30[.]45[.]27 (Iron Hosting), 185[.]11[.]61[.]37 (Chang Way)
- [Affiliate Parameter ] Unique affiliate identifiers used in malicious campaigns – u=pe7k605, pl=CHiI7Gh3GUyTa8XGgNqDyQ, utm_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a, sub1=ct1qt1t109qc73fj4fsg, id=1003455
- [File Name ] Rare lure image filenames associated with scams – 1.png, 2.png, logo.png, bot.png, man.png
- [URL Pattern ] Various TDS URL parameter formats indicating different advertising affiliates – /index/?[numbers], ?p=, ?fingerprint=, ?utm_medium=
Views: 23