VexTrio, a cybercrime syndicate with a history dating back to at least 2017, has been implicated in nefarious activities utilizing a sophisticated dictionary domain generation algorithm (DDGA).
Their malicious campaigns encompass scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and explicit content, with a notable occurrence in 2022 involving the distribution of the Glupteba malware following a prior intervention by Google in December 2021.
The scope of VexTrio’s influence extends to a network of over 70,000 documented domains, facilitating traffic brokering for approximately 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh.
Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.
Security analysts from Infoblox posit that VexTrio may be advertising its services on dark web forums or employing alternative channels for cybercriminal engagement.
Operational Mechanism of VexTrio:
Functioning as intermediaries between malware creators and those seeking to launch cyberattacks, VexTrio offers affiliates:
- Access to a network of malicious domains hosting malware, phishing pages, and harmful content.
- Traffic distribution systems (TDS) redirect victims based on location, interests, and other parameters.
- Payment processing, compensating affiliates based on generated traffic or successful attacks.
Prominent VexTrio Affiliates:
ClearFake: Specializes in crafting deceptive websites to pilfer personal information.
SocGholish: Utilizes social engineering tactics to trick victims into interacting with malicious links or downloading malware.
TikTok Refresh: Targets TikTok users through phishing scams and counterfeit applications.
Impact of VexTrio:
VexTrio poses a substantial threat to global internet users, leading to issues such as identity theft, financial losses, and data breaches affecting businesses and organizations.
Infoblox has uncovered a web of Vextrio attacks, with the initial threads dating back to early 2022 and ongoing campaigns detected in February.
Michael Jones, Malware Expert: “The fact that they were able to bypass Google’s intervention with the Glupteba malware distribution shows their adaptability and resilience. They are constantly evolving their tactics and techniques, making it a constant challenge for defenders to stay ahead.”
Protective Measures against VexTrio:
- Exercise caution with visited websites, prioritizing trusted sources.
- Avoid clicking on suspicious links or attachments in emails or messages from unfamiliar sources.
- Keep software updated to mitigate vulnerabilities.
- Employ a robust security suite to counter malware and phishing threats.
- Stay informed about the latest cyber threats to proactively safeguard against potential risks.