Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities
January 25, 2024Rewterz Threat Alert –APT Group Gamaredon aka Shuckworm – Active IOCs
January 25, 2024Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities
January 25, 2024Rewterz Threat Alert –APT Group Gamaredon aka Shuckworm – Active IOCs
January 25, 2024Severity
High
Analysis Summary
Researchers’ latest findings reveal the emergence of a significant player in the cybercrime landscape named VexTrio, believed to be the largest malicious traffic broker documented. Since 2017, VexTrio has been linked to various malicious campaigns utilizing a dictionary domain generation algorithm (DDGA) to disseminate scams, malware, and unwanted content. Notably, it facilitated the distribution of Glupteba malware in 2022 and orchestrated a large-scale attack involving compromised WordPress websites in August 2023.
VexTrio operates a vast network of over 70,000 domains, servicing approximately 60 affiliates including notorious groups like ClearFake and SocGholish. Affiliates receive dedicated servers from VexTrio and utilize multiple traffic distribution systems (TDS) to route visitors to illicit content based on various attributes.
The network employs sophisticated TDS servers, utilizing HTTP and DNS protocols to efficiently manage and direct web traffic. While SocGholish is a known affiliate, it also operates other TDS servers like Parrot TDS. However, there’s no conclusive evidence of VexTrio’s involvement with Parrot TDS.
VexTrio’s affiliates primarily target vulnerable WordPress websites, injecting malicious scripts to redirect traffic. These injections exploit known security vulnerabilities in content management systems, enabling the distribution of malware and fraudulent content.
Besides trafficking web traffic to support various cyber campaigns, VexTrio is suspected of conducting its operations, profiting from referral programs, and reselling traffic to downstream threat actors. The complexity of its affiliate network makes precise classification and attribution challenging, allowing VexTrio to evade identification by the security industry for over six years.
Researchers emphasize the crucial role of disrupting VexTrio’s operations, asserting that blocking its traffic in DNS effectively halts related cybercrime activities. VexTrio is characterized as the “kingpin of cybercrime affiliations,” underscoring the significance of targeting such traffic brokers to combat global consumer cybercrime effectively.
Impact
- Cyber Crime
Indicators of Compromise
Domain Name
- bonustop-price.life
- allprizeshub.life
- greatbonushere.top
- prizes-topwin.life
- marybskitchen.com
- machinetext.org
- getquery.org
- quaryget.org
- greenpapers.org
- dailytickyclock.org
- tiktok.superbowsm.top
- hixastump.com
- d.strouchridun.top
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
- Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
- Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
- Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
- Maintain regular backups of critical data, and ensure they are stored securely offline. This enables quick recovery in case of a successful attack or data loss