VexTrio: Cybercrime Uber – Malware Brokers for 60+ Affiliates

VexTrio, a cybercrime entity, has been identified as the largest malicious traffic broker in the cybersecurity industry. The group has been active since at least 2017 and has partnerships with over 60 affiliates, including ClearFake and SocGholish. VexTrio has been involved in various types of malicious campaigns, distributing malware, riskware, spyware, and potentially unwanted programs. The group operates a vast network of more than 70,000 domains and uses a traffic distribution system (TDS) to monetize its activities. It is estimated that VexTrio controls multiple TDS networks, including those of its affiliates. The group recruits affiliates through an unknown process but is suspected of advertising its services in dark web forums. VexTrio’s TDS is sophisticated and complex, and it leverages domains generated by a dictionary domain generation algorithm (DDGA) to manage the traffic passing through it. The group also exploits vulnerabilities in content management systems like WordPress to inject rogue JavaScript into compromised websites. It is suspected that VexTrio carries out its own web traffic campaigns by abusing referral programs and reselling the traffic to other actors. The intricate and entangled nature of VexTrio’s affiliate network makes attribution and classification challenging, allowing the group to remain nameless and undetected for more than six years. Researchers recommend blocking VexTrio traffic in DNS to mitigate the group’s activities.