Infoblox Exposes VexTrio: The Cybercrime Syndicate’s Largest Traffic Broker

A recent study by Infoblox has unveiled the existence of a vast “criminal affiliate program” involving renowned cybercriminal groups ClearFake, SocGholish, and dozens of others, with VexTrio acting as the primary partner. VexTrio is described as “the single largest malicious traffic broker described in security literature.”

VexTrio’s activities commenced around 2017, employing a dictionary-based domain generation algorithm (DDGA) to disseminate fraudulent and spyware programs, adware, potentially unwanted programs, and pornographic content. In 2022, the hackers successfully distributed the malicious software Glupteba, despite Google’s efforts to eliminate a significant portion of their infrastructure in December 2021.

In August 2023, VexTrio orchestrated a large-scale attack using the aforementioned DDGA algorithm and compromised WordPress sites, redirecting visitors to intermediary C2 domains. A notable feature of these infections is the use of the DNS protocol to obtain redirection URLs, allowing the group to operate as a DNS-based traffic distribution system (DTDS).

VexTrio is estimated to manage a network of over 70,000 domains and interacts with approximately 60 affiliates, including the aforementioned ClearFake and SocGholish. Security researchers from Infoblox stated that the methods for recruiting affiliates remain unknown, but it is speculated that VexTrio may advertise its services on dark forums.

VexTrio’s network utilizes TDS for the reception and sale of web traffic. Their TDS is a large and complex cluster of servers managing thousands of domains. VexTrio’s system operates in two modes: based on HTTP and based on DNS, with the latter being utilized since July 2023.

According to Palo Alto Networks, another TDS system, Parrot, has been active since October 2021, though it may have existed as early as August 2019. Websites with Parrot TDS embed malicious scripts into existing JavaScript code, redirecting victims’ browsers to fraudulent sites.

VexTrio’s primary attack vector targets websites on a vulnerable version of WordPress, into whose HTML code malicious JavaScript is injected. Infoblox emphasizes that VexTrio is a key player in the realm of cybercriminal affiliations.

Due to the complex structure and interconnected nature of the affiliate network, accurately classifying and attributing VexTrio’s activities has proven challenging, allowing them to thrive for over six years while remaining unrecognized by the cybersecurity industry.

The researcher characterized VexTrio as the “kingpin of cybercrime affiliations,” highlighting that global consumer cybercrime flourishes as these traffic brokers remain undetected.