Uncovered: VexTrio— a Network Of 70,000 Compromised Sites That Delivers Traffic To Scam Websites | Maqvi News

A traffic distribution system (TDS) called VexTrio is taking the tech industry by storm as it partners up with 60+ affiliates and helps hackers distribute malware, phishing content, and other dangerous tools.

Some of their common exploitation techniques include malicious downloads and fake login pages that are used to steal credentials.

Another popular trick used by the group is through the CAPTCHA test. In this, the users are redirected to one of the compromised sites and asked to take a CAPTCHA test which is pretty common and hence seems legit.

During the test, they make the users click on the “Allow” button in order to proceed. But by doing so, these users unknowingly allow them to send push notifications. The group can then send malicious links anytime they want through these notifications.

The network is believed to have started in 2017 but has mostly managed to escape the radar until recently. The reason it probably went unnoticed for so long is that it’s only a middleman supplying traffic to scam websites and not an actual storehouse of malware.

How Does It Work?

To do this, they have hijacked over 70,000 websites that were previously legit and formed a network that other cybercriminals can use to lure in internet users.

Some of the affiliates have been working with the group for more than 4 years.

The team behind VexTrio contacts hackers with a compromised site as well as fraudsters who are willing to pay for traffic. Then it infiltrates the website and its content with a malicious redirect that will take the user to the fraudster’s desired location.

The fraudster in return will pay them for bringing in the victims and the hacker who originally hijacked the website will get a cut.

It is believed that VexTrio also runs its own group of scam websites that derive traffic from the TDS for free.

Also, by connecting with 60+ affiliates, VexTrio has managed to drastically increase its reach. These affiliates forward traffic from their own resources (like websites) to VexTrio’s TDS and also get a payment in return.

Some Of The Well-Known Affiliates Of The Group

One of its most well-known affiliates is ClearFake. Although the collaboration started only 5 months ago, the duo has managed to trick countless users.

ClearFake uses a very old trick from the book— malware downloads. Once a user has been redirected to its site, it instructs them to install the latest update of their browser and provides them with a link. But in reality, that link will install malware in the target device.

To avoid detection, Clear Fake doesn’t directly supply VexTrio with traffic. Instead, it routes them through another redirection point—the Keitaro service.

The notorious SocGholish malware campaign that’s known to have worked with ransomware gangs to gain access to corporate networks has also collaborated with VexTrio since last year. This group also used the Keitaro service as an intermediate point to deliver traffic to the TDS.

These inside details of the group and its activities came to light after Infoblox published a detailed report (co-written by McEoin and staff researcher Christopher Kim) along with infosec bod Randy McEoin. They have been tracking VexTrio’s activity for the last 2 years and raised concern over their activities in 2022 for the first time.

However, in their words, last year they “didn’t fully appreciate the breadth of their activities and depth of their connections within the cybercrime industry,”

According to another report by CheckPoint, the network had a good start to 2024. Approximately, 200 ransomware groups’ leak sites were linked to the group.

However, it’s doubtful how accurate these estimations are considering it’s hard to identify which organization was attacked by whom.