Cybersecurity researchers at Infoblox published a report exposing VexTrio, a massive malicious traffic direction system (TDS) organization. VexTrio, with a shadowy network of over 60 affiliates, has been diverting traffic into its web, operating both its own TDS network and collaborating with affiliates such as ClearFake and SocGholish.
ClearFake and SocGholish are affiliates that mainly deal with malware and fake software update pages. Both operate traffic distribution systems that route users based on the victim’s device, operating system, location, and other characteristics. VexTrio also operates a TDS that routes compromised web traffic sourced from affiliates, as well as their own infrastructure, to various forms of malicious content. However, VexTrio is a traffic broker without direct ties to any specific malware.
While ClearFake emerged relatively recently, VexTrio and SocGholish have been active since at least 2017 and 2018, respectively, flying under the radar due to their distinct focus on traffic brokering rather than malware dissemination.
What sets VexTrio apart is its extensive affiliate program, which involves at least 60 partners. The affiliate relationships, spanning several years, have been a crucial factor in VexTrio's sustained existence. SocGholish, for instance, has been linked to VexTrio since at least April 2022, indicating a longstanding partnership. ClearFake, although a more recent player, has collaborated with VexTrio since launching its campaigns in August 2023.
Researchers have uncovered VexTrio's involvement in attack chains featuring multiple actors. The cybercriminal organization, along with its affiliates, has been exploiting referral programs related to well-known brands such as McAfee and Benaughty.
“VexTrio’s affiliate program operates similarly to legitimate marketing affiliate networks. Generally, each attack involves infrastructure owned by multiple entities. Participating affiliates forward traffic originating from their own resources (e.g. compromised websites) to VexTrio-controlled TDS servers. Subsequently, VexTrio conditionally relays these flows of traffic to other actors’ nefarious content or to other malicious affiliate networks. In many cases, VexTrio also redirects victims to campaigns that they operate directly,” the researchers noted.
VexTrio has been found to control multiple TDS networks, each operating in distinct ways. Notably, the organization has moved away from dedicated hosting and name servers to shared providers. Over 55% of VexTrio domains, previously tied to dedicated infrastructure, have migrated to shared hosting, further complicating efforts to track and shut down their operations.