One threat group in focus is VexTrio, which adds SocGhoulish and ClearFake malware to its repertoire of DNS and phishing threats

Did you know that cybercriminals have been trying out an organizational structure similar to that of affiliate marketing networks? This structure has overlaps with the characteristics of multi-level marketing (MLM), and can be used to turn cybercrime into an even more highly-lucrative occupation.

One threat group in focus is VexTrio, which controls a large and malicious network that reaches a wide audience of internet users. Through a criminal affiliate program with over 60 partners (including high-profile entities like SocGholish and ClearFake), the group is one of the most pervasive DNS threat actors, operating for six years and impacting over 50% of customer networks.

Its role as an invisible traffic broker has kept it undetected by other vendors, complicating detection and tracking, according to Infoblox research, which has uncovered the following additional findings about VexTrio:

    • It operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate. Each cyberattack uses DNS infrastructure owned by multiple cybercriminal entities. Participating cybercriminal affiliates will forward user traffic originating from their own services (such as a compromised website) to VexTrio-controlled traffic distribution system (TDS) servers. Subsequently, VexTrio relays these flows of user traffic to other cybercriminal affiliate networks or fake web pages. In many cases, VexTrio also redirects victims to their ongoing phishing campaigns.
    • Its affiliate relationships appear longstanding, possibly beginning in 2017 or earlier. For example, SocGholish has been an affiliate since at least April 2022. ClearFake has been assessed to have worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.
    • VexTrio’s attack chains can include multiple actors, with up to four actors being noted in an attack sequence.
    • The group and its affiliates are abusing referral programs related to McAfee and Benaughty.
    • It controls multiple TDS networks that function in different ways. In particular, a new DNS-based TDS was first observed in late-December 2023.

While SocGholish and ClearFake are most associated with malware and fake software update pages, these two entities operate TDS servers to route internet users based on their details: device information, operating system, location, and other personal details.