Security and networking company Infoblox has released new research unveiling a set of large-scale malicious cybercriminal partnerships led by insidious threat actor VexTrio. The partnerships involve a more than 60-strong underground affiliate network and are seeing high volumes of malware and other malicious content delivered to networks in Australia, New Zealand and across the globe.

Formed more than six years ago, VexTrio is now one of the world’s largest malicious networks targeting internet users today. It acts as a cybercriminal broker and operates traffic distribution systems (TDS) that route users based on their device, operating system, location, and other characteristics to malicious websites.

VexTrio has largely evaded detection and strengthened its resilience against internet service providers’ efforts to suspend its assets, all while building up a unique ‘partner program’.

“While cybercriminals are often portrayed as gangs of hackers or lone brilliant coders, more often they buy and sell goods and services as part of a larger criminal economy,” said Renée Burton, Head of Threat Intelligence at Infoblox and a former Senior Executive (DISL) with the U.S. National Security Agency (NSA).

“For example, some actors sell malware services, and malware-as-a-service (MaaS) allows buyers easy access to the infrastructure necessary to commit crimes. These service providers also form strategic partnerships, similar to the way legitimate companies do, in order to extend the limits of their current operations. Such relationships are forged in secret and may include a number of partners, making them difficult to untangle and understand from an outside perspective.”

Key findings from the report include:

• VexTrio is the single most pervasive threats in Infoblox customers’ networks, active in more than 50 per cent of networks in just the last two years.
• The threat actor acts as a broker of malicious traffic for more than 60 cybercriminal affiliates.
• Partnerships tend to be longstanding and operate in a unique way, with VexTrio providing a number of dedicated servers to each affiliate.
• Despite connecting millions of web users to malicious content for more than six years, VexTrio has largely evaded detection due to its successful business model that feeds on web traffic from its affiliates and has infrastructure built on compromised websites.
• Two of its largest affiliates are ClearFake and SocGholish; malicious JavaScript frameworks that present website visitors with harmful content and inject malicious JavaScript into vulnerable websites, respectively. SocGholish is widely considered to be one of the top three global threats today.
• VexTrio is a prolific domain name system (DNS) attacker and has more than 70,000 known malicious domains.

The most common attack method deployed by VexTrio and its affiliates is the ‘drive-by compromise’, where actors compromise vulnerable WordPress websites and inject malicious JavaScript into their HTML pages. This script typically contains a TDS that redirects victims to malicious infrastructure and gathers information such as their IP address. VexTrio also operates SMS scams where it sells victims’ phone numbers to other cybercriminals.

“Although difficult to identify and track, blocking VexTrio at the DNS level can disrupt and protect against a large spectrum of cybercriminal activity,” added Burton.

“This can be achieved through using tailored DNS signatures and statistical-based algorithms to identify VexTrio’s intermediary TDS servers and domains shortly after they’re registered. As Australian organisations look to raise their security posture in the wake of the new Cyber Security Strategy, it’s important to understand how DNS threat actors like VexTrio operate, particularly as more than 90 per cent of malware depends on DNS at some stage of its execution.”

The full report on VexTrio and its affiliate network can be found here.