This cybercrime network acts like a food delivery service for criminals — and even uses legitimate affiliate marketing techniques to recruit other partners-in-crime

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

Cybersecurity researchers from Infoblox have revealed new research on VexTrio, a “massive criminal affiliate program” that the team says counts more than five dozen criminal organizations in its customer list.

As explained by the researchers, VexTrio is a complex, and massive, traffic direction system (TDS). It operates similarly to a legitimate marketing affiliate network, in that a threat actor will forward victim traffic from their own services (for example, compromised websites) to a TDS server under VexTrio’s control. 

VexTrio will then forward it to other affiliate networks or web pages, or its own active phishing campaigns.

Kingpin

The researchers started tracking the network via DNS in 2020, but argue that the project probably kicked off in 2017, if not earlier. There are more than 60 affiliates in the program, including high-profile names such as SoCGholish, or ClearFake. Some of the affiliates also run their own TDS’, the researchers explain. Sometimes, they’ll look to monetize their campaigns by keeping the traffic relevant for their efforts, and relaying the rest.

VexTrio’s operation is unique in the way that it provides a small number of dedicated servers to each affiliate, it was said. The partnerships are healthy, as with some of its affiliates, such as SoCGholish and ClearFake, they’ve been going on for years. VexTrio attack chains can include multiple actors, the researchers further explained. “We have observed four actors in an attack sequence,” they said.

In some cases, VexTrio and its affiliates abuse referral programs related to McAfee and Benaughty.

"Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years,” Renée Burton, head of threat intelligence at Infoblox, told The Hacker News. For Burton, VexTrio is the "kingpin of cybercrime affiliations," as "global consumer cybercrime thrives because these traffic brokers go unnoticed.” 

Consequently, blocking VexTrio traffic in DNS means blocking all related crime, “regardless of what it is and whether you know about it."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.