The threat actors behind ClearFake, SocGholish, and dozens of other e-crime outfits have established partnerships with another entity known as VexTrio as part of a massive "criminal affiliate program," new findings from Infoblox reveal.
The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said, describing VexTrio as the "single largest malicious traffic broker described in security literature."
VexTrio, which is believed to be have been active since at least 2017, has been attributed to malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content.
This includes a 2022 activity cluster that distributed the Glupteba malware following an earlier attempt by Google to take down a significant chunk of its infrastructure in December 2021.
In August 2023, the group also orchestrated a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary command-and-control (C2) and DDGA domains.
What made the infections significant was the fact that the threat actor leveraged the Domain Name System (DNS) protocol to retrieve the redirect URLs, effectively acting as a DNS-based traffic distribution (or delivery or direction) system (TDS).
VexTrio is estimated to operate a network of more than 70,000 known domains, brokering traffic for as many as 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh.
Renée Burton, head of threat intelligence at Infoblox, told The Hacker News that it's currently not known how the affiliates are recruited, although it's suspected that the VexTrio actors may be advertising their services in dark web forums or at least have a way for other cybercriminals to get in touch with them.
"VexTrio operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate," Infoblox said in a deep-dive report shared with the publication. "VexTrio's affiliate relationships appear longstanding."
Not only can its attack chains can include multiple actors, VexTrio also controls multiple TDS networks to route site visitors to illegitimate content based on their profile attributes (e.g., geolocation, browser cookies, and browser language settings) in order to maximize profits, while filtering out the rest.
These attacks feature infrastructure owned by different parties wherein participating affiliates forward traffic originating from their own resources (e.g., compromised websites) to VexTrio-controlled TDS servers. In the next phase, this traffic is relayed to other fraudulent sites or malicious affiliate networks.
"VexTrio's network uses a TDS to consume web traffic from other cybercriminals, as well as sell that traffic to its own customers," the researchers said. "VexTrio's TDS is a large and sophisticated cluster server that leverages tens of thousands of domains to manage all of the network traffic passing through it."
Image Source: Palo Alto Networks Unit 42 |
The VexTrio-operated TDS comes in two flavors, one which is based on HTTP that handles URL queries with different parameters, and another based on DNS, the latter of which began to be first put to use in July 2023.
It's worth noting at this stage that while SocGholish (aka FakeUpdates) is a VexTrio affiliate, it also operates other TDS servers, such as Keitaro and Parrot TDS, with the latter acting as a mechanism for redirecting web traffic to SocGholish infrastructure.
"There is no evidence that VexTrio is using Parrot TDS," Burton said. "VexTrio is significantly older than Parrot – it is the oldest known TDS – and they operate their own software."
"VexTrio affiliates, like SocGholish, analogous to the legitimate marketing world, may leverage different platforms to distribute traffic and make money. It is more likely that Parrot TDS goes to VexTrio TDS but we haven't analyzed that traffic flow."
According to Palo Alto Networks Unit 42, Parrot TDS has been active since October 2021, although there is artifact proof to suggest that it may have been around as early as August 2019.
"Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server," the company noted in an analysis last week. "This injected script consists of two components: an initial landing script that profiles the victim, and a payload script that can direct the victim's browser to a malicious location or piece of content."
The injections, in turn, are facilitated by the exploitation of known security vulnerabilities in content management systems (CMS) such as WordPress and Joomla!
The attack vectors adopted by the VexTrio affiliate network for gathering victim traffic are no different in that they primarily single out websites running a vulnerable version of the WordPress software to insert rogue JavaScript into their HTML pages.
In one instance identified by Infobox, a compromised website based in South Africa was found to be injected with JavaScript from ClearFake, SocGholish, and VexTrio.
That's not all. Besides contributing web traffic to numerous cyber campaigns, VexTrio is also suspected to carry out some of its own, making money by abusing referral programs and receiving web traffic from an affiliate and then reselling that traffic to a downstream threat actor.
"VexTrio's advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy," Infoblox concluded.
"Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years."
Burton further characterized VexTrio as the "kingpin of cybercrime affiliations," stating "global consumer cybercrime thrives because these traffic brokers go unnoticed. In contrast, by blocking VexTrio traffic in DNS, you block all related crime, regardless of what it is and whether you know about it."
(The story was updated after publication to include additional commentary from Infoblox.)