24 Jan Infoblox’s exposé on VexTrio marks significant milestone in combating DNS-based cyber threats

Infoblox exposed VexTrio as the largest broker of malicious traffic on record after tracking the group’s affiliate activities since 2020.

This comes after the DNS-based security and services company found that VexTrio is one the most dominant and influential players in the cybercrime underworld.

The group has been active since at least 2017 and allegedly operates as a ‘traffic broker’ to control multiple Traffic Distribution System (TDS) networks and to manipulate web traffic, executing sophisticated cybercrime activities.

With a network of more than 60 affiliates, including high-profile cybercriminals, VexTrio was discovered by Infoblox via DNS and the company has continued to track activities that impact over 50 per cent of customer networks.

VexTrio was found to be the most extensive malicious traffic broker “ever described in security literature” and as it is a highly adaptable group, cybercrime activity is harder to detect due to its affiliates and ability to change its attack method.

It has managed over 70,000 known domains in the past six years and impacted tens of thousands of businesses using a drive-by compromise of vulnerable WordPress websites, where malicious JavaScript is injected to redirect traffic to its own TDS network.

Infoblox’s findings are important to understanding and combating DNS-based cyber threats.

More findings include VexTrio uniquely operating its affiliate program; providing a small number of dedicated servers to each affiliate; the group’s affiliate relationships appear longstanding; and its attack chains can include multiple actors.

The company’s findings stated: “VexTrio’s advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy. Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years.”

The full report is available to download from its website.