Malicious Traffic Distribution System Spotted by Researchers

Researchers have uncovered the growing professionalization to the cybercrime ecosystem, highlighting an online redirection of service, VexTrio, as a major traffic broker for various threat groups. VexTrio operates malicious traffic distribution systems, accessing victims based on factors like device type and location, redirecting them to malicious sites based on client requirements. Over six years, VexTrio has been linked to takeovers of legitimate domains registering over 70,000 malicious domains using a domain generation algorithm.

Cybercriminals utilize traffic distribution systems to analyze victims’ profiles and redirect them to illegitimate content, often involving malware or scams. Identifying such malicious infrastructure is challenging due to its resemblance to legitimate marketing operations.

Security Officer Comments:
VexTrio, the central malicious traffic broker, has been operating for six years establishing and managing multiple traffic distribution systems employed by over 60 affiliated cybercrime groups. These groups including SocGhoulish and ClearFake, leverage VexTrio’s services to redirect victims based on intricate criteria such as device type, location, and browser vulnerabilities. Notably, VexTrio has been implicated in takeovers of legitimate domains, with instances like compromising a hospital website in Colombia and manipulating WordPress sites with known vulnerabilities. The scale of VexTrio’s operations is underscored by its registration of at least 70,000 malicious domains using a dynamic, dictionary-based domain generation algorithm.

Suggested Corrections:
To improve your organization’s resilience against VexTrio and similar TTPs, we recommend the following actions for protection:

  • Limit web activity to secure websites that use a Secure Sockets Layer (SSL) certificate. A secure website’s URL should begin with “https” rather than plain “http.”
  • Look for the green lock icon when visiting unfamiliar websites and click on the icon to review the website’s authenticity.
  • Do not allow push notifications from untrusted websites.
  • Consider using an adblocker program to block certain malware activated by popup ads. Along with an adblocker, consider using the web extension NoScript, which allows JavaScript and other potentially harmful content to execute only from trusted sites to reduce the attack surface available to actors.
  • When an attack chain is observed that includes redirection through domains that might be VexTrio or another TDS actor, proactively block the intermediate domains.