This cybercrime network acts like a food delivery service for criminals — and even uses legitimate affiliate marketing techniques to recruit other partners-in-crime

Say hi to VexTrio, a major operation that’s remained hidden for years

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Infoblox have revealed new research on VexTrio, a “massive criminal affiliate program” that the team says counts more than five dozen criminal organizations in its customer list.

As explained by the researchers, VexTrio is a complex, and massive, traffic direction system (TDS). It operates similarly to a legitimate marketing affiliate network, in that a threat actor will forward victim traffic from their own services (for example, compromised websites) to a TDS server under VexTrio’s control.

VexTrio will then forward it to other affiliate networks or web pages, or its own active phishing campaigns.

Kingpin

The researchers started tracking the network via DNS in 2020, but argue that the project probably kicked off in 2017, if not earlier. There are more than 60 affiliates in the program, including high-profile names such as SoCGholish, or ClearFake. Some of the affiliates also run their own TDS’, the researchers explain. Sometimes, they’ll look to monetize their campaigns by keeping the traffic relevant for their efforts, and relaying the rest.

VexTrio’s operation is unique in the way that it provides a small number of dedicated servers to each affiliate, it was said. The partnerships are healthy, as with some of its affiliates, such as SoCGholish and ClearFake, they’ve been going on for years. VexTrio attack chains can include multiple actors, the researchers further explained. “We have observed four actors in an attack sequence,” they said.

In some cases, VexTrio and its affiliates abuse referral programs related to McAfee and Benaughty.

“Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years,” Renée Burton, head of threat intelligence at Infoblox, toldThe Hacker News. For Burton, VexTrio is the “kingpin of cybercrime affiliations,” as “global consumer cybercrime thrives because these traffic brokers go unnoticed.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Consequently, blocking VexTrio traffic in DNS meansblocking all related crime, “regardless of what it is and whether you know about it.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)