VexTrio Malicious Network Spreads Malware
Researchers have discovered that over 70,000 apparently legitimate websites have been taken over and incorporated into a network, known as VexTrio, utilized by criminals for distributing malware, deploying phishing pages, and sharing other illicit content. This network, active since 2017 or earlier, operates similarly to traffic distribution systems (TDSes) used in marketing to direct users to specific sites based on their interests. VexTrio compromises tens of thousands of websites, redirecting their visitors to pages hosting malware downloads, fake login interfaces for credential theft, or engaging in other fraudulent cyber activities.
VexTrio Works Similar to MaaS
Approximately 60 affiliates are reportedly involved in the VexTrio network. Some partners contribute compromised websites, sending users to VexTrio's TDS infrastructure, which then guides victims' browsers to harmful pages based on specific criteria. VexTrio charges fees to the criminals behind the fraudulent sites for directing web traffic, and those responsible for providing the compromised websites receive a share of the profits. The TDS also directs users to scam websites operated by the VexTrio crew, allowing them to directly benefit from their fraudulent activities.
Check Point, in its January global threat index, classified VexTrio as a significant security risk due to its extensive reach and sophisticated setup. This assessment aligns with a recent investigation by Infoblox, which labeled VexTrio as the "single most pervasive threat" to its customers. Infoblox has been tracking VexTrio for two years and highlighted signs of compromise that IT environments should be aware of.
Interestingly, one strain of malware distributed through VexTrio is SocGholish (aka FakeUpdates), which became the most prevalent malware in January, affecting four percent of observed organizations worldwide. SocGholish, written in JavaScript, is triggered when visiting a compromised website and targets Windows machines by posing as a browser update. Once accepted and executed, it infects the victim's PC with backdoor malware, ransomware, and other malicious elements.