Threat Research

VexTrio at the Center of Affiliate Cybercrime Program | Infoblox

Securonix

VexTrio operates a massive traffic-distribution ecosystem, linking with affiliates like ClearFake and SocGholish to route user traffic through multiple TDS servers. The study highlights how these TDS networks drive various campaigns—from dating and fake browser updates to robot CAPTCHA and SMS scams—across tens of thousands of domains and a global footprint.
#VexTrio #ClearFake #SocGholish #DDGA #TDS

Keypoints

  • VexTrio is the largest malicious traffic broker described in security literature, with at least 60 affiliate partners.
  • Affiliates include ClearFake and SocGholish, often using Keitaro or other TDS to redirect traffic to VexTrio infrastructure.
  • Traffic is managed via two main TDS variants: HTTP-based and DNS-based (including DNS-over-HTTPS), enabling multi-stage redirects and resilience.
  • VexTrio employs a growing DDGA dictionary (thousands of words) to generate domains, contributing to over 70,000 known domains.
  • Infrastructure has shifted toward shared hosting and cloud services, complicating takedowns and attribution.
  • Attack vectors include drive-by compromises of WordPress sites, visible JavaScript injections, lookalike domains, URL shorteners, and multi-actor race conditions.

MITRE Techniques

  • [T1189] Drive-by Compromise – The most common attack vector is a drive-by compromise that targets websites running a vulnerable version of the WordPress software. “To set the stage for a drive-by compromise, the actors compromise vulnerable websites and inject malicious JavaScript into their HTML pages.”
  • [T1059.007] JavaScript – The attack uses JavaScript injections to redirect victims to TDS servers; “The injected code calls the API of popular cryptocurrency exchange platform Binance” and is loaded via browser execution of scripts.
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscated JavaScript used to hide malicious logic; “The obfuscation method is simple and encodes various segments of the VexTrio TDS URL in Base64.”
  • [T1071.004] Application Layer Protocol: DNS – DNS-based TDS and DoH use DNS queries to fetch next-stage TDS URLs; “DoH methods are effective at bypassing DNS-based security solutions” and the DoH URL example shows DNS TXT query flow.
  • [T1036] Masquerading – Use of lookalike domains and branding to impersonate legitimate services; “lookalike TDS domains that infringe technology brands” and examples like antibotcloud.com.
  • [T1583.001] Acquire Infrastructure: Domains – Domain generation and massive domain inventory (DDGA) to sustain operations; “registering large quantities of domains daily that are dynamically generated via a dictionary domain generation algorithm (DDGA)”.

Indicators of Compromise

  • [Domain] VexTrio-related domains – womanflirting.life, bonustop-price.life, and many more domains (used by TDS networks)

Read more: https://blogs.infoblox.com/cyber-threat-intelligence/cybercrime-central-vextrio-operates-massive-criminal-affiliate-program/