A classy cybercriminal enterprise often called VexTrio has orchestrated probably the most in depth WordPress compromise campaigns ever documented, hijacking tons of of hundreds of internet sites globally to function huge site visitors distribution techniques (TDS) that funnel victims into elaborate rip-off networks.
This malicious operation, which has been lively since at the least 2015, represents a paradigm shift in how cybercriminals monetize compromised internet infrastructure, reworking legit web sites into unwitting members in a sprawling legal promoting ecosystem.
The scope of VexTrio’s operation got here to mild following revelations that Los Pollos, a Swiss-Czech promoting expertise firm, was working as a entrance for the legal group.
Analysis signifies that almost 40 p.c of compromised web sites that redirected guests had been channeling site visitors to VexTrio by Los Pollos smartlinks, affecting various malware campaigns together with Balada, DollyWay, and Sign1 operations.
These compromises have endured for years, with some affiliate relationships relationship again to Might 2019, demonstrating the outstanding longevity and stability of VexTrio’s legal infrastructure.
Infoblox analysts recognized the intricate relationship between WordPress malware actors and malicious promoting expertise by complete evaluation of over 4.5 million DNS queries spanning six months.
The researchers found that when Los Pollos introduced the cessation of their push monetization providers on November 17, 2024, a number of seemingly impartial malware operations concurrently migrated to what gave the impression to be a brand new TDS known as Assist TDS, revealing coordinated legal infrastructure that had beforehand remained hidden.
The legal enterprise operates by a posh internet of affiliate promoting networks that blur the strains between legit advertising and marketing providers and cybercrime.
A high-level image of the position of affiliate networks in malicious adtech (Supply – InfoBlox)
VexTrio controls a number of entities together with Los Pollos, Taco Loco, and Adtrafico, every serving completely different capabilities inside the bigger ecosystem.
Adjustments in conduct over time from the 2 impartial C2 units (Supply – InfoBlox)
These firms recruit each publishing associates who compromise web sites and promoting associates who create the malicious content material delivered to victims, making a self-sustaining legal financial system that has generated substantial income for members over practically a decade.
DNS TXT File Command and Management Infrastructure
One of the vital refined points of VexTrio’s operation entails the abuse of DNS TXT data as a command and management mechanism, reworking the web’s basic naming system right into a covert communication channel for malware operations.
This method, first documented by safety researchers in August 2023, represents a major evolution in malware infrastructure design that leverages the trusted nature of DNS communications to evade detection.
The malware campaigns make the most of DNS TXT data to encode Base64-formatted URLs that direct compromised web site guests to malicious content material.
When a sufferer visits an contaminated WordPress website, malicious scripts routinely question particular DNS domains managed by the attackers, retrieving encoded redirection directions that seem as legit DNS site visitors to community monitoring techniques.
The connection between choose domains seen in TDS URLs and the TDS (Supply – InfoBlox)
The DNS question itself incorporates encoded details about the web site customer embedded within the hostname, permitting the command and management server to tailor responses based mostly on sufferer traits reminiscent of geographic location, browser kind, and referral supply.
Evaluation of the command and management infrastructure revealed two distinct operational clusters, every sustaining separate internet hosting preparations and URL formatting conventions whereas in the end directing site visitors to the identical legal locations.
The primary cluster utilized domains reminiscent of cndatalos[.]com and data-cheklo[.]world hosted on IP addresses 46[.]30[.]45[.]27 and 65[.]108[.]195[.]250, whereas the second cluster employed domains like webdmonitor[.]io and logs-web[.]com on infrastructure together with 185[.]11[.]61[.]37 and 185[.]234[.]216[.]54.
The sophistication of this DNS-based command and management system extends past easy URL redirection, incorporating dynamic response capabilities that enable operators to change marketing campaign conduct in real-time with out updating malware on compromised web sites.
This architectural strategy offers unprecedented operational flexibility whereas sustaining persistence by automated monitoring techniques that detect and reactivate disabled malicious plugins, making full remediation notably difficult for web site directors and safety groups.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
