New findings from Infoblox show that WordPress hackers and Traffic Distribution System operators associated with VexTrio are working in a coordinated manner. By analyzing DNS telemetry, links have been discovered between different criminal groups that previously appeared to be independent.
When the TDS was disrupted, multiple malware actors that depended on it migrated to the same alternative TDS. This transition showed that what initially appeared to be an independent TDS may have been connected to VexTrio.
By analyzing 4.5 million DNS TXT record responses from compromised websites over six months, Infoblox Threat Intel discovered two different command-and-control servers within Russian infrastructure. These discoveries provide insight into the structure of DNS malware campaigns.
Commercial adtech as a weak link
Further investigation reveals that several Traffic Distribution Systems share a surprising number of characteristics with VexTrio. These include the commercial adtech companies Partners House, Bro Push, and RichAds. When adtech company Los Pollos stopped push monetization, the number of fake login screens via other commercial adtech companies increased.
Although the relationships between these commercial entities remain unclear, they are clearly long-standing partners that forward traffic to each other. They all have a Russian connection, but there is no evidence of common ownership.
Ongoing threat
The identified relationships between website hackers and the VexTrio network pose a significant danger. First, this highlights the ongoing threat of organized crime and their ability to adapt quickly. Second, the scale of these attacks is significant.
Adtech platforms use extensive infrastructures that can deliver specific payloads to millions of users. At the same time, they use personal data to route the ideal bait. Finally, this ecosystem targets thousands of legitimate websites that use WordPress or other content management systems. This damages the brand and reputation of the organizations they represent.
Identification via unique identifiers
The choice of malware actors to use commercial adtech could well be their Achilles’ heel. In unraveling the relationships between the website hackers and the VexTrio network, it became clear that unique identifiers exist for each malware operator at each of the companies involved.
The malware hackers check network affiliates before allowing them to join, and they keep personal information about the affiliates and their payments, which could lead to their identity. The real test will be the willingness of adtech operators to report malicious actors who plague the internet and have stolen untold amounts of money from victims worldwide.
Tip: Vulnerability in popular WordPress plugin affects million websites