Meet VexTrio, a network of 70K hijacked websites crooks use to sling malware, fraud

Some useful indicators of compromise right here

More than 70,000 presumably legit websites have been hijacked and drafted into a network that crooks use to distribute malware, serve phishing pages, and share other dodgy stuff, according to researchers.

This mesh of compromised sites is known as VexTrio, and has been mostly flying under the radar since its inception in 2017 or earlier, though lately more details about the operation have emerged.

The process is simple, and mirrors the traffic distribution systems, or TDSes, that the marketing world uses to direct netizens to particular sites based on their interests or similar.

In the case of VexTrio, tens of thousands of websites are compromised so that their visitors are redirected to pages that serve up malware downloads, show fake login pages to steal credentials, or perform some other fraud or cyber-crime.

It's said at least 60 affiliates are involved in the network in some way. Some partners provide the compromised websites, which send marks to VexTrio's own TDS infrastructure, which in turn directs those victims' browsers to harmful pages. The TDS typically only redirects people if they meet certain criteria.

VexTrio takes a fee from the crooks running the fraudulent sites for directing web traffic their way, and the miscreants who provided the compromised websites in the first place get a cut. We're told the TDS also sends netizens to scam websites operated by the VexTrio crew itself, allowing the criminals to profit directly from their fraud.

In its January global threat index, Check Point on Friday labeled VexTrio a "considerable" security risk, citing its reach and sophisticated setup.

"VexTrio is yet another reminder of how commercially-minded the [cybercrime] industry has become," Check Point veep of research Maya Horowitz commented.

This follows an extensive investigation by Infoblox published last month, with the help of infosec bod Randy McEoin, that concluded VexTrio was the "single most pervasive threat" to its own customers. Of the TDS crew's 70,000-odd known domains, references or links to almost half were apparently spotted in those customers' networks.

In its technical report, co-written by McEoin and staff researcher Christopher Kim, Infoblox disclosed signs of compromise that you can look out for on your own IT environments.

The security shop has been tracking VexTrio for two years, and first flagged up the group in June 2022. Back then, however, "we didn't fully appreciate the breadth of their activities and depth of their connections within the cybercrime industry," the biz said last month.

Interestingly enough, and perhaps as an indicator of the TDS's reach, one strain of malware pushed via VexTrio is SocGholish, aka FakeUpdates, which topped Check Point's list of the most prevalent malware in January, affecting four percent of observed organizations worldwide. This downloader even outpaced Qbot last month, which had a global impact of three percent, we're told.

SocGholish, which is written in JavaScript, is usually triggered when visiting a compromised website, and targets Windows machines, pretends to offer a browser update that when accepted and run by a mark infects their PC with backdoor malware, ransomware, and other stuff. In January, SocGholish was observed bringing GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult onto victims' machines.

It's believed that a financially motivated crew tracked as TA569 by Proofpoint and UNC1543 by Mandiant is behind SocGholish.

Infoblox said the info-stealing ClearFake malware, documented here by McEoin, is also pushed via VexTrio.

Also, according to Check Point's report, and perhaps unsurprisingly to anyone who follows news headlines, ransomware crews had a decent start to 2024. This part deserves a big caveat, however. The security firm bases this info on about 200 ransomware groups' leak sites, and these aren't always the most reliable measure of which organizations have suffered infections, and by whom.

Victims' names are frequently removed by the crims during negotiations, or sometimes they never even make the sites if they pay up quickly. Plus, extortionists aren't always the most honest folks. So take these numbers with a healthy amount of salt.

According to Check Point's metrics: LockBit3 was responsible for 20 percent of the claimed attacks, followed by 8Base with 10 percent, and Akira with nine percent. The last two of those three are relative newbies who made a name for themselves in 2023 and show no sign of going away. ®

More about


Send us news

Other stories you might like