A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity.
Infoblox has made another important discovery in the fight against cybercrime: In a comprehensive blog post today, the company presents its findings about VexTrio, operator of a massive criminal affiliate network. VexTrio has played a central role in processing traffic for years. Although VexTrio is difficult to identify and track, blocking it directly disrupts a variety of cybercriminal activities. Through its discovery, Infoblox has helped make all of cyberspace safer.
Infoblox aims to raise awareness of the threat posed by traffic distribution systems (TDS) by targeting these structures - and advocates for increased industry-wide collaboration in detecting, identifying and combating malicious TDS providers.
How the VexTrio Affiliate Program Works
🔎 The criminal ecosystem VexTrio: This is how the affiliate program works (Image: Infoblox)
VexTrio's affiliate program works similarly to reputable marketing affiliate networks. Each attack typically affects the infrastructure of multiple companies. VexTrio partners redirect traffic originating from their own networks (e.g. compromised websites) to the TDS servers controlled by VexTrio. VexTrio then selectively transmits this traffic to the malicious sites of other actors or to other malicious affiliate networks. In addition, VexTrio not only provides the criminal infrastructure for others, but also acts as a threat actor itself, executing malicious campaigns.
The key findings of the comprehensive Infoblox report on VexTrio:
- VexTrio has well-known partners such as ClearFake and SocGholish.
- VexTrio has at least 60 partners, making it the largest malicious traffic broker described in the security literature.
- VexTrio operates its affiliate program in a unique way by providing each affiliate with a small number of dedicated servers.
- VexTrio maintains long-term partnerships. For example, SocGholish has been a VexTrio partner since at least April 2022.
- VexTrio's attack chains can involve multiple actors. Infoblox has previously been able to observe up to four actors in a single attack sequence.
- VexTrio and its partners abuse McAfee and Benaughty referral programs.
- VexTrio controls multiple TDS networks that function in different ways. It was only at the end of December that Infoblox unveiled a new DNS-based TDS.
- VexTrio's domain generation systems are constantly evolving. Therefore, relying solely on a static list of words or top-level domains (TLDs) based on domain history is ineffective. This approach is not enough to detect all VexTrio domains, of which there are now more than 70.000.
- VexTrio has made a significant shift from dedicated hosting and name servers to shared providers. Since Infoblox first discovered VexTrio, over 55% of VexTrio domains that were previously dedicated to dedicated infrastructure have migrated to shared hosting.
About Infoblox
Infoblox combines network management and security, ensuring exceptional performance and optimal protection. Both Fortune 100 companies and emerging young companies value Infoblox for real-time visibility and control over who and what is connecting to their network. This allows companies to work faster and stop threats sooner.
Matching articles on the topic