Malicious Traffic Distribution System Spotted by Researchers – Source: www.databreachtoday.com

Cybercrime
,
Fraud Management & Cybercrime

Cybercrime Groups Hire VexTrio to Help Route Victims to Their Malicious Content

Mathew J. Schwartz (euroinfosec) •
January 23, 2024    

As if the cybercrime ecosystem wasn’t already damaging enough, security researchers have discovered further evidence of its professionalization and specialization through an online redirection service that researchers said is the single largest provider of traffic brokering.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Cybersecurity firm Infoblox said that two well-known cybercrime groups, SocGholish and ClearFake, are among the dozens of different threat groups that appear to have a relationship with VexTrio, a malicious traffic broker they hire to route victims to their malicious sites, via what’s known as a traffic distribution system. A TDS assesses victims based on a number of factors, including device type, location and any known vulnerabilities present in their browser, and routes them according to clients’ requirements.

Since launching six years ago, VexTrio has built and maintains multiple traffic distribution systems used by over 60 affiliates, says a new report from Santa Clara, California-based Infoblox.

In that time frame, the researchers have connected VexTrio to takeovers of multiple legitimate domains – in one case, a compromised hospital website in Colombia infected with malicious JavaScript – and especially WordPress sites with known vulnerabilities, which allow them to reroute user traffic. VexTrio also continues to register “large quantities of domains daily” – adding up so far to at least 70,000 malicious domains – by using a dictionary-based domain-generation algorithm, to give them a ready, ever-changing supply of domains for hosting malicious content.

The TDS term hails from the marketing realm, where it refers to intermediaries tracking individual internet users and attempting to serve them relevant advertising. The cybercrime take on this approach typically swaps out legitimate, if not always welcome, advertising in favor of serving victims malicious content.

Just as with legitimate advertising, many cybercrime groups appear to be ready and willing to pay for high-quality referrals, based on a variety of criteria they supply to a TDS provider, experts say.

For cybercriminals, “a TDS is responsible for analyzing a victim’s profile, including browser settings and cached data,” Infoblox said. “If their profile matches VexTrio’s target criteria, a TDS will redirect that web visitor to illegitimate content,” all while maintaining metrics, such as the number of referrals and success rate, and crediting referrals from affiliates.

In some cases, the TDS might route a user to a website designed to inject JavaScript or malicious HTML, pushing malware such as Glupteba, malicious code tied to another malware developer or malware-as-a-service group, or ransomware. Sometimes victims are sent to pages sporting fake dating profiles, software application updates or tech support scam pages. Other times, the TDS might hand the user off to another TDS, in part to obscure what might be happening, before routing to one of the aforementioned types of pages.

Groups such as SocGholish and ClearFake have long been tied to the use of social engineering attacks, serving users fake updates for browsers and Microsoft Teams, among other types of lures designed to infect victims with malware.

Infoblox said that while SocGholish and ClearFake each run their own TDS, they also appear to have “strategic partnerships” with VexTrio, via which they pass victims to its TDS. Whatever financial or other arrangement these groups share isn’t clear.

One difficulty with identifying this type of malicious infrastructure is that it often resembles legitimate marketing operations and handling of legitimate advertising traffic, Infoblox said. “VexTrio’s use of URL query parameter names that overlap with common advertising affiliate keywords, such as Urchin Tracking Module, as well as look-alike TDS domains that infringe technology brands,” it said.

To complicate attempts by malicious traffic distribution system operators such as VexTrio to forcibly redirect users to malicious content, Infoblox recommends organizations put multiple strategies in place. These include restricting users’ browsing to websites with a Secure Sockets Layer certificate – resulting in URLs that begin with https rather than http, blocking push notifications from untrusted websites and using ad-blocking software to curtail not just pop-ups but other functionality attackers might abuse.