'VexTrio' TDS: The Biggest Cybercrime Operation on the Web?

The traffic distribution system supports tens of thousands of malicious domains and cyberattack campaigns that reach far and wide globally.

4 Min Read
traffic jam on roadway
Source: Amanda Ahn via Alamy Stock Photo

A single traffic distribution system (TDS) operator in possession of more than 70,000 domains is facilitating scams, phishing, and malware infections on an unprecedented scale.

The group, "VexTrio," isn't known for its malicious campaigns, though it does occasionally get its feet wet in cybercrime. Instead, it manages a TDS network connecting threat actors who compromise vulnerable websites with those who host malicious content.

Though VexTrio isn't the one with its finger on the trigger, its capacity for spreading malfeasance on the Internet shouldn't be underestimated. Infoblox, which published a detailed report about the group today, characterizes it as the most widespread threat actor in the wild, touching more than half of all organizations it's monitored in the past two years.

"This is the single largest, most pervasive, most persistent threat that we have in our customer networks," says Renée Burton, head of threat intelligence at Infoblox. "Pretty much any kind of network that we see is going to have this activity in it."

How VexTrio TDS Works

VexTrio operates a cluster of more than 70,000 ever-changing domains — a redirection monster, used to absorb traffic from resources controlled by its more than 60 cybercrime affiliate groups.

Quite often these are compromised WordPress sites. For example, SocGholish and ClearFake, a couple of VexTrio's most famous contemporaries, have become known for injecting exposed sites with malicious JavaScript that prompts users with fake browser update notifications

VexTrio's TDS servers quickly filter traffic based on information gleaned from browser settings and cached data, including the target's operating system, location, and other potentially relevant data. If the victim matches a predefined profile, they're redirected to another affiliate's malicious content (or sometimes, an affiliate's own TDS network or VexTrio's own content). Like the input, this output content runs the gamut: fake apps, scam webforms, and everything in the middle.

This arrangement allows attackers to identify and reject traffic from cyber researchers and botnets. It functions as a load balancer, prevents wasted resources on unintended targets, and provides metrics VexTrio can use to monitor performance and distribute credit to affiliates. With the VexTrio model, attackers can specialize in the aspects of cybercrime they do best. But most importantly, it's a tool for microtargeting.

"I'm a victim who's clicked on a link, it could have come from malvertising, it could have been that I just randomly browsed a site," Burton explains. "If you think about it, it's the same reason that legitimate traffic distribution systems are used. There are brokers who make sure website publishers receive the most money possible from the advertisers, that advertisers receive the most applicable content. And the criminal world is working essentially the same way."

How VexTrio Is So Invisible and Persistent

VexTrio uses a bevy of tricks to evade detection: a dictionary domain generation algorithm (DDGA) to dynamically generate large numbers of domains every day, multi-staged chains of TDS redirections, URL query parameter names that overlap with referral links used by legitimate TDS networks, and so on.

VexTrio additionally maintains a number of compromised websites of its own, which, combined with its large roster of affiliates, means its business is hardly affected if a few clients are taken out by cyber defenders.

Most significantly, VexTrio benefits from appearing in most ways like any other legitimate TDS network. It performs all of the normal business functions that its counterparts in online advertising do — only its clientele fit a different profile.

Burton bemoans, "It's very hard for security companies or registries to go after the middleman because they're not actually hosting the malicious content. They're just the delivery guys, so gathering evidence about them is really hard. What are you going to say? 'I think this domain is doing a malicious redirection.' Now prove it. They don't actually have any malicious software.

"So that middle section — the TDS, that broker — those guys are more persistent, more pervasive, and have more stable infrastructure than either the compromised sites on their left side or the malicious sites on their right side," she explains.

To finally bring the fight to the middleman, she says, "we can do a lot more collaboration and sharing. We always recommend that people have defense-in-depth. And hopefully registrars and registries will also become a more proactive player in the security environment and look for signs of malicious TDS."

"Admittedly, it's very difficult for those industries," Burton admits. "There are a lot of rules regarding freedom on the Internet that hinder that."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights