Executive Summary
During routine alert review of zero hour alerts, the Menlo Security Threat Intelligence team discovered users visiting compromised sites. These sites are part of a bigger crime organization VexTrio, using the Traffic Direction System (TDS). We saw two notable campaigns associated with this organization and what appeared to be an infrastructure change. In this write up we will discuss what we saw from the victim’s point of view visiting this cybercrime ring's infrastructure.
What is a Traffic Direction System (TDS)? Traffic Direction System: A system that can use a network of hacked servers to route victims to domains that distribute malware, ads, or run scamming schemes.
VexTrio: Anatomy of a cybercrime ring
VexTrio uses an affiliate program that allows affiliates to access their TDS. Attackers compromise WordPress websites, injecting malicious JavaScript that serves to route traffic to the TDS based on specific criteria (discussed below). Depending on the victim's operating system (OS) fingerprint, they will be routed to different affiliates. Infoblox published an article, written by Christopher Kim and Randy McEoin, where they discovered Vextrio in January 2024. We will focus on two campaigns Menlo has unique insights into: “Bella turned Shaul campaign” and “ClearFake”.
Campaign 1: Bella to Shaul
The Bellatrixmeissa domain is a malicious site, previously reported by Malwaretips and others, uses social engineering tactics to trick users into enabling browser notifications. Victims are then bombarded with various ads, which subtly advertise a range of malware, from Greyware to Gootloader. Menlo Security has also been able to observe this attack across Asia, North America, Europe, the Middle East, Australia, and South America.
When investigating this, we uncovered how prolific this campaign had been across Menlo customers since March, and we uncovered a shoft to new infrastructure: shauladubhe[.]com. As activity associated with Bellatrixmeissa declined, the rate of Shauladubhe rapidly increased, showing the threat actors moving their operation from one to the other.
Over 140 days, the following campaign IDs were identified within our environment:
- CHbdBrRj60iP0ZNnHuMm7w
- EOLqXWl7sEqTC3w7GMZt4A
- l-C8wnA9n02pICp-zt1xVA
- TMO4rBkyiESdae2M5urijA
- CHiI7Gh3GUyTa8XGgNqDyQ
Adware
With high probability we assess VexTrio is involved, as key identifiers of their previous attacks are reported to be:
- A translator javascript file: trls.js some text
- (e.g. SHA256: e2bb1401d6b8d6038ff8411fd0f6280890ecd1f32e3e90f4c7fededf2801339)
- URL paths: /space-robot/ and /eyes-robot/.
- (Further IOC’s are included under references)
In these attacks, we were able to see both of the previously reported IOC’s above, ultimately leading us to a high probability, this is also VexTrio.
Campaign 2: ClearFake
ClearFake is a malicious JavaScript framework that dynamically presents website visitors with harmful content via an HTML iframe. Users are tricked into clicking a fake browser update button that eventually leads to a malware infection (e.g. the Amadey infostealer). We know that ClearFake has been an affiliate of VexTrio for at least five months.
User visits a compromised website injected with malicious JavaScript.
The injected code calls the API of the popular cryptocurrency exchange platform Binance.
Obfuscated JavaScript is returned and executed.
ClearFake's TDS, running Keitaro, is contacted.
Keitaro redirects the user to VexTrio's TDS.
ClearFake Attack Chain:
1. User visits the compromised website injected with malicious JavaScript
2. The injected code calls the API of popular cryptocurrency exchange platform Binance 3. Obfuscated Javascript is returned and evaluated
4. ClearFake TDS running Keitaro is called
5. The response from Keitaro is a redirection to VexTrio TDS
From https://blogs.infoblox.com/threat-intelligence/cybercrime-central-vextrio-operates massive-criminal-affiliate-program/
Unraveling the ClearFake chain
When the users visit the compromised site, a script would run to fingerprint their browser (rocketlazyloadscript). If the user's browser is Internet Explorer and meets other conditions, it manipulates the current URL to include a ‘nowprocket’ parameter and then reloads the page with this new URL.
The script then triggers the Binance/ClearFake script called “ethers.js” to run.
These conditions are based on various events, such as when the page has fully loaded (window.onload), when the user navigates to the page via the back or forward buttons (pageshow event), and when the Document Object Model (DOM) is ready (DOMContentLoaded event).
However in this example, when the “ethers.js” script runs, it attempts to pull another script down. There is an error and responds with a console log message in Chinese that “there is no more”. Below you can see the console log message in base64. This also suggests that for this contract the next stage isn’t loaded.
console log responses cleaned up via internal analyst tool
Notably, there appears to be a possible generic API key used to interact with “ethers[.]io” that
loads automatically when the user visits the compromised site.
In the console logs area, we can see the compromised site trying to inject script into the ethers.js script running on the compromised site.
Contract analysis
The contract address inside this attack was 0xdf20921ea432318dd5906132edbc0c20353f72d6. We can see a couple transactions listed and it appears some transactions are spam related.
https://blockchair.com/polygon/address/0xdf20921ea432318dd5906132edbc0c20353f72d6
Another contract we saw but didn’t include in this analysis is 0x34585777843Abb908a1C5FbD6F3f620bC56874AA.
Impact and conclusion
We assess the VexTrio cybercrime ring to continue to be a prevalent and a substantial global threat, impacting all sectors with its large-scale operation. We will continue to monitor related campaigns.
Visiting a compromised WordPress site that is part of the VexTrio cybercrime ring poses significant risks to users, organizations, and the broader internet ecosystem. These sites are being used to deliver a variety of payloads including, but not exclusive to adverts, PUPs and malware. This undermines cybersecurity efforts and creates severe consequences to organizations:
- Data Theft and Privacy Breaches: Compromised sites can harvest personal information, including login credentials, financial details, and sensitive data.
- If a users' privacy is severely compromised, it could lead to potential identity theft and financial loss or abuse of corporate credentials.
- Malware Infection: These sites frequently distribute malware that can infect users' devices. Once malware is installed, it can lead to system damage, data corruption, and unauthorized access to personal and organizational networks.
- Financial Loss: Users may face direct financial losses due to stolen payment information or indirect costs from repairing malware damage.
- Additionally, businesses can suffer financial repercussions from reputational damage and legal liabilities as well as restoring infected systems.
- Spread of Cybercrime: By interacting with these sites, users inadvertently contribute to the cybercrime ecosystem. This activity supports the operation of criminal networks and enables them to perpetuate further cyber attacks.
- Compromised Network Security: Infected devices can become entry points for broader network attacks, affecting entire organizations. This can result in significant disruptions, data breaches, and extensive recovery efforts.
- Erosion of Trust: The prevalence of compromised sites erodes trust in digital platforms and services. Users become wary of online interactions, which can stifle online engagement.
IOCs
Domains
cebue[.]check-tl-ver-106-1[.]com
ja[.]check-tl-ver-246-3[.]com
mvgde[.]check-tl-ver-116-2[.]com
pojyq[.]check-tl-ver-246-3[.]com
rqstz[.]check-tl-ver-54-1[.]com
ud[.]check-tl-ver-54-1[.]com
qltuh[.]bellatrixmeissa[.]com
qltuh[.]shauladubhe[.]com
*[.]shauladubhe[.]com
qltuh[.]check-tl-ver-246-3[.]com
qltuh[.]check-tl-ver-116-3[.]com
qltuh[.]check-tl-ver-176-1[.]com
xx62hrg[.]megabonus-gains[.]life
bsc-dataseed1[.]binance[.]org
cdn[.]ethers[.]io
URL paths that are campaigns
CHbdBrRj60iP0ZNnHuMm7w
EOLqXWl7sEqTC3w7GMZt4A
l-C8wnA9n02pICp-zt1xVA
TMO4rBkyiESdae2M5urijA
References
VexTrio at the Center of Affiliate Cybercrime Program | Infoblox
JavaScript Malware Switches to Server-Side Redirects & DNS TXT Records as TDS
Bellatrixmeissa.com Virus: What Is It And How To Stop Pop-ups