Report Links Los Pollos and RichAds to Malware Traffic Operations
New research by Infoblox Threat Intel exposes a hidden alliance between major cybercrime groups like VexTrio and seemingly legitimate AdTech firms such as Los Pollos, Partners House, BroPush, and RichAds. Discover how malware, including DollyWay, shifted operations, revealing shared infrastructure and tactics.
Infoblox Threat Intel has exposed a secret alliance between two cybercrime groups, VexTrio and seemingly legitimate AdTech companies. This discovery came after disrupting VexTrio, causing many malware groups to shift to a single, previously hidden provider.
The investigation began by disrupting VexTrio’s Traffic Distribution System (TDS). A TDS acts like a digital traffic controller, directing website visitors to the content. However, a malicious TDS sends users to harmful sites with malware or scams, often by “cloaking” or hiding its true nature. When VexTrio’s TDS was disturbed, malware actors unexpectedly moved to what appeared to be a new TDS, but it was the same one.
On November 13, 2024, Qurium researchers revealed that Los Pollos, a Swiss-Czech AdTech company, was part of VexTrio. This was discovered when Russia’s Doppelganger group used Los Pollos’ “smartlinks” (links malware operators use to send traffic to a malicious AdTech TDS, leading people to fake apps or scams). Infoblox and Qurium then collaborated, sharing information with other security groups.
The Domino Effect and a New Player
On November 17, Los Pollos stopped its push link monetization, causing immediate changes across hacked websites. By November 20, 2024, malware like DollyWay, which previously used VexTrio and had been exploiting WordPress vulnerabilities for eight years, switched to the Help TDS.
Other major malware campaigns, including Balada and Sign1, as identified by GoDaddy, also shifted or ceased operations. GoDaddy’s 2024 report indicated that almost 40% of compromised sites redirected visitors via VexTrio through Los Pollos.
Further checks confirmed Help TDS was not new, but had been tied to VexTrio for years. Researchers found that Help TDS and Disposable TDS were the same, sharing a special relationship with VexTrio until November 2024.
Analysis of 4.5 million DNS TXT record responses showed malware using DNS TXT records for command and control (C2) also switched to Help TDS. These C2 servers, despite different setups, all led to VexTrio before the change, and then to Help TDS.
The Hidden Links
The investigation found many TDSs shared software and web address patterns with VexTrio, suggesting a common origin. While the Help TDS owner is unknown, commercial AdTech companies like Partners House, BroPush, and RichAds operate common TDSs, many with Russian ties, though no common ownership was found.
Malware operators’ reliance on commercial AdTech could be their downfall, as these companies hold personal and payment information that could identify criminals. The consistent use of shared code, trick images, and web address patterns by VexTrio, Help, and Disposable TDSs, plus specific JavaScript hindering user navigation, points to a deeply coordinated operation.
Six TDSs, including VexTrio, Partners House, and RichAds, use identical lure images, often named simply “1.png,” “2.png,” etc., to trick users into allowing malicious push notifications. These networks, run by large public affiliate networks specializing in push advertising, also use PowerDNS, suggesting shared infrastructure.
These findings go on to show that cybercrime sophistication is growing, making it difficult to differentiate between legitimate and malicious operations. However, continuous research and collaboration between security firms can be important for protecting online users from such scams.
