VexTrio
Infosec researchers have uncovered over 70,000 websites believed to be legitimate that have been hijacked and incorporated into a network utilized by criminals for disseminating malware, hosting phishing pages, and sharing other illicit content. This network, referred to as VexTrio, has primarily operated undetected since its establishment in 2017 or possibly earlier. However, recent revelations have brought more information to light about the nature of this operation.
Table of Contents
VexTrio Is a Considerable Operation That Could Lead to Severe Security Issues
The process utilized by the cybercriminals is not that complex, resembling the traffic distribution systems (TDSes) commonly used in the marketing realm to guide internet users to specific sites based on their interests or similar criteria.
In the context of VexTrio, tens of thousands of websites are compromised, redirecting their visitors to pages that facilitate malware downloads, display counterfeit login interfaces for credential theft, or engage in other fraudulent or cyber-criminal activities.
Approximately 60 affiliates are believed to be involved in the network in various capacities. Some partners contribute compromised websites, directing targets to VexTrio's TDS infrastructure, which then steers victims' browsers toward harmful pages. The TDS typically redirects individuals only if they meet specific criteria.
VexTrio charges a fee from the individuals operating fraudulent sites for channeling Web traffic their way, with the individuals who provided the compromised websites also receiving a share. Additionally, the TDS may guide users to scam websites operated by the VexTrio crew itself, allowing the criminals to profit directly from their fraudulent activities. VexTrio poses a significant security risk due to its extensive reach and sophisticated setup.
VexTrio Is Being Used to Deliver Harmful Malware Threats to Victims
One malware strain distributed through VexTrio is SocGholish, also known as FakeUpdates, and it has emerged as one of the most prevalent malware strains since the beginning of 2024.
SocGholish, coded in JavaScript, typically activates when a user visits a compromised website. It specifically targets Windows machines, presenting itself as a browser update. If it is allowed to be installed and then executed by the unsuspecting user, SocGholish infects their PC with backdoor malware, ransomware and other malicious components. Notably, SocGholish has been observed delivering GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult onto victims' machines. The malware is attributed to a financially motivated group identified as TA569 and UNC1543.
Additionally, there is evidence suggesting that VexTrio is used to distribute the information-stealing ClearFake malware.
Ransomware Groups Reaped Record Ransom Payments from Victims
In 2023, cybercriminal groups specializing in ransomware threats experienced a notable resurgence, surpassing $1 billion in payments and signaling a substantial uptick in the scale and complexity of their attacks. This marked a significant departure from the observed decline in 2022. Researchers highlight that the overall trend from 2019 to 2023 indicates a persistent and growing problem despite a temporary decrease in ransomware payments during 2022. It's essential to note that the reported figure does not encompass the full economic impact, including productivity loss and repair expenses incurred by victims.
Indeed, 2023 saw a significant surge in the frequency, scale, and volume of ransomware attacks orchestrated by a diverse range of actors, including large syndicates, smaller groups, and individuals. The emergence of Initial Access Brokers (IABs) played a key role in facilitating these attacks by providing access to networks, which they subsequently sold to ransomware attackers at a relatively low cost.
In terms of the destination for the funds obtained as ransom payments, centralized exchanges and mixers have consistently been favored for laundering schemes. However, in 2023, new services, such as bridges, instant exchangers, and gambling services, emerged and quickly gained traction.
