Infoblox has exposed crucial insights into the cybercriminal entity VexTrio, unravelling its intricate web of malicious connections with other cybercriminal enterprises such as ClearFake and SocGholish. Conducted in collaboration with the security researcher who uncovered the ClearFake malware, this research aims to shed light on the depth of affiliations among these threat actors, exposing their illicit activities detected within global networks.
VexTrio commands a significant and malicious network, reaching a broad audience of internet users. Through a criminal affiliate program involving over 60 partners, including prominent entities like SocGholish and ClearFake, it emerges as the most pervasive DNS threat actor, operating clandestinely for six years and impacting over 50% of customer networks. Operating as an invisible traffic broker has allowed VexTrio to evade detection by other vendors, complicating efforts for tracking and identification.
Infoblox’s research has yielded several key findings, including:
- VexTrio operates its affiliate program uniquely, assigning a small number of dedicated servers to each affiliate.
- Longstanding affiliate relationships are observed, with SocGholish being a VexTrio affiliate since at least April 2022, and ClearFake likely collaborating with VexTrio since its campaign launch in August 2023.
- VexTrio attack chains involve multiple actors, with instances of up to four actors in an attack sequence.
- Abuse of referral programs related to McAfee and Benaughty by VexTrio and its affiliates.
- Control of multiple TDS networks by VexTrio, including the revelation of a new DNS-based TDS observed in late December 2023.
Infoblox has been monitoring VexTrio via DNS since 2020, and recent evidence suggests its enterprise began as early as 2017. The ongoing evolution of VexTrio, coupled with its partnerships with significant actors like SocGholish, underscores its pivotal role in the criminal industry, contributing to the industry’s lack of recognition.
VexTrio’s affiliate program operates similarly to a legitimate marketing affiliate network, utilizing DNS infrastructure owned by multiple cybercriminal entities. The research highlights the critical role of Traffic Direction Systems (TDS) in the estimated $8 trillion cybercrime economy. With the global cost of cybercrime surpassing $7 trillion and expected to rise steadily, the research underscores the escalating threat landscape, particularly in the Asia-Pacific region, a major hotspot for cybercrime due to rapid digitalization and the widespread adoption of new technologies.