VexTrio TDS: The Biggest Cybercrime Operation on the Web? - Dark Reading
2024-01-23 13:55 (EST) - Nate Nelson
A single traffic distribution system (TDS) operator in possession of more than 70,000 domains is facilitating scams, phishing, and malware infections on an unprecedented scale.
The group, "VexTrio," isnt known for its malicious campaigns, though it does occasionally get its feet wet in cybercrime. Instead, it manages a TDS network connecting threat actors who compromise vulnerable websites with those who host malicious content.
Though VexTrio isnt the one with its finger on the trigger, its capacity for spreading malfeasance on the Internet shouldnt be underestimated. Infoblox, which published a detailed report about the group today, characterizes it as the most widespread threat actor in the wild, touching more than half of all organizations its monitored in the past two years.
"This is the single largest, most pervasive, most persistent threat that we have in our customer networks," says Renée Burton, head of threat intelligence at Infoblox. "Pretty much any kind of network that we see is going to have this activity in it."
How VexTrio TDS Works
VexTrio operates a cluster of more than 70,000 ever-changing domains — a redirection monster, used to absorb traffic from resources controlled by its more than 60 cybercrime affiliate groups.
Quite often these are compromised WordPress sites. For example, SocGholish and ClearFake, a couple of VexTrios most famous contemporaries, have become known for injecting exposed sites with malicious JavaScript that prompts users with fake browser update notifications
VexTrios TDS servers quickly filter traffic based on information gleaned from browser settings and cached data, including the targets operating system, location, and other potentially relevant data. If the victim matches a predefined profile, theyre redirected to another affiliates malicious content (or sometimes, an affiliates own TDS network or VexTrios own content). Like the input, this output content runs the gamut: fake apps, scam webforms, and everything in the middle.
This arrangement allows attackers to identify and reject traffic from cyber researchers and botnets. It functions as a load balancer, prevents wasted resources on unintended targets, and provides metrics VexTrio can use to monitor performance and distribute credit to affiliates. With the VexTrio model, attackers can specialize in the aspects of cybercrime they do best. But most importantly, its a tool for microtargeting.
"Im a victim whos clicked on a link, it could have come from malvertising, it could have been that I just randomly browsed a site," Burton explains. "If you think about it, its the same reason that legitimate traffic distribution systems are used. There are brokers who make sure website publishers receive the most money possible from the advertisers, that advertisers receive the most applicable content. And the criminal world is working essentially the same way."
How VexTrio Is So Invisible and Persistent
VexTrio uses a bevy of tricks to evade detection: a dictionary domain generation algorithm (DDGA) to dynamically generate large numbers of domains every day, multi-staged chains of TDS redirections, URL query parameter names that overlap with referral links used by legitimate TDS networks, and so on.
VexTrio additionally maintains a number of compromised websites of its own, which, combined with its large roster of affiliates, means its business is hardly affected if a few clients are taken out by cyber defenders.
Most significantly, VexTrio benefits from appearing in most ways like any other legitimate TDS network. It performs all of the normal business functions that its counterparts in online advertising do — only its clientele fit a different profile.
Burton bemoans, "Its very hard for security companies or registries to go after the middleman because theyre not actually hosting the malicious content. Theyre just the delivery guys, so gathering evidence about them is really hard. What are you going to say? I think this domain is doing a malicious redirection. Now prove it. They dont actually have any malicious software.
"So that middle section — the TDS, that broker — those guys are more persistent, more pervasive, and have more stable infrastructure than either the compromised sites on their left side or the malicious sites on their right side," she explains.
To finally bring the fight to the middleman, she says, "we can do a lot more collaboration and sharing. We always recommend that people have defense-in-depth. And hopefully registrars and registries will also become a more proactive player in the security environment and look for signs of malicious TDS."
"Admittedly, its very difficult for those industries," Burton admits. "There are a lot of rules regarding freedom on the Internet that hinder that."
