Infoblox exposes cybercrime group VexTrio operating a huge criminal affiliate program targeting Australia

INFOBLOX has released new research unveiling a set of large-scale malicious cybercriminal partnerships led by VexTrio, the group cybersecurity specialists refer to as ‘an insidious threat actor’.

The partnerships involve a more than 60-strong underground affiliate network and are seeing high volumes of malware and other malicious content delivered to networks in Australia, New Zealand and across the globe.

Formed more than six years ago, VexTrio is now one of the world’s largest malicious networks targeting internet users today.

“While cybercriminals are often portrayed as gangs of hackers or lone brilliant coders, more often they buy and sell goods and services as part of a larger criminal economy,” Infoblox head of threat intelligence, Renée Burton said. Now operating in the commercial cybersecurity world, Ms Burton is a former senior executive (DISL) with the US National Security Agency (NSA).  

“For example, some actors sell malware services, and malware-as-a-service (MaaS) allows buyers easy access to the infrastructure necessary to commit crimes. These service providers also form strategic partnerships, similar to the way legitimate companies do, in order to extend the limits of their current operations.

“Such relationships are forged in secret and may include a number of partners, making them difficult to untangle and understand from an outside perspective.”

VexTrio acts as a cybercriminal broker and operates traffic distribution systems (TDS) that route users based on their device, operating system, location, and other characteristics to malicious websites.

VexTrio has largely evaded detection and strengthened its resilience against internet service providers’ efforts to suspend its assets, all while building up a unique ‘partner program’.

Key findings of report

The report has identified that VexTrio creates the single most pervasive threats in Infoblox customers’ networks, active in more than 50 percent of networks in just the last two years.

The threat actor acts as a broker of malicious traffic for more than 60 cybercriminal affiliates.

Partnerships tend to be longstanding and operate in a unique way, with VexTrio providing a number of dedicated servers to each affiliate.

Despite connecting millions of web users to malicious content for more than six years, VexTrio has largely evaded detection due to its successful business model that feeds on web traffic from its affiliates and has infrastructure built on compromised websites.

Two of its largest affiliates are ClearFake and SocGholish; malicious JavaScript frameworks that present website visitors with harmful content and inject malicious JavaScript into vulnerable websites, respectively. SocGholish is widely considered to be one of the top three global threats today.

VexTrio is a prolific domain name system (DNS) attacker and has more than 70,000 known malicious domains.

Drive-by compromise attacks

According to Infoblox, the most common attack method deployed by VexTrio and its affiliates has so far been the ‘drive-by compromise’, where actors compromise vulnerable WordPress websites and inject malicious JavaScript into their HTML pages. 

This script typically contains a TDS that redirects victims to malicious infrastructure and gathers information such as their IP address. VexTrio also operates SMS scams where it sells victims’ phone numbers to other cybercriminals.

“Although difficult to identify and track, blocking VexTrio at the DNS level can disrupt and protect against a large spectrum of cybercriminal activity,” Ms Burton said.

“This can be achieved through using tailored DNS signatures and statistical-based algorithms to identify VexTrio’s intermediary TDS servers and domains shortly after they are registered.

As Australian organisations look to raise their security posture in the wake of the new Cyber Security Strategy, it’s important to understand how DNS threat actors like VexTrio operate, particularly as more than 90 percent of malware depends on DNS at some stage of its execution.”

Infoblox specialises in uniting networking and security to deliver high performance and high protection at the same time. Many Fortune 100 companies are Infoblox clients as well as an ‘emerging innovators’ group for whom cyber security is evermore paramount. Infoblox promises “real-time visibility and control over who and what connects to your network, so your organization runs faster and stops threats earlier”.

The full report on VexTrio and its affiliate network can be found here.

Infoblox is also on LinkedIn and Twitter.




Contact Us


PO Box 2144