Trying to make a tough read snackable. (1/N)

About 40% of all compromised websites that led to a TDS in 2024, according to Sucuri/GoDaddy, went to VexTrio. Then they all flipped to HelpTDS in late-2024.

Let's suppose the website malware actors are just random publishing affiliates of VexTrio -- this timeline is very interesting.

Why do the malware actors prepare to move off Los Pollos (VexTrio) links before Los Pollos announces that it is pausing push monetization? :thinking

Shady adtech is full of options for the shady publisher. Why do all the different malware actors move to the Help TDS? :reallythinking

In a free market economy, how does a company like Los Pollos gain the lion's share of black traffic from compromised sites? :reallyreallythinking

this timeline doesn't include all the actors that shifted from VexTrio to Help TDS.

Comments on Brian's article said that these companies are Ukrainian, not Russian.

We haven't studied the individuals behind the more recently discovered companies, but VexTrio folks are not Ukrainian. They are Russian-Belarussian and Italian for the most part.

This doesn't mean they are pro-Putin. indeed, from what we've seen on social media they seem to be against Putin's invasion. They also target Russian citizens a lot -- Russia and the US are the top targets (they pay out the most in the affiliate network and have the most traffic).

We know all the true identities of the main players of VexTrio going back to 2004... no Ukrainians. But Push House, RichAds, PushBro, Monetizer may be different.

They definitely all speak Russian.

VexTrio and the malware actors snackable (2/N).

At the heart of VexTrio is so called "smartlinks". What is that? BlackHatWorld users explain it well. see pics.

smartlinks are the lipstick for the pig called domain cloaking that is provided by traffic distribution systems (TDS) owned by malicious adtech companies like Los Pollos and Taco Loco (and Adtrafico and and and)

#VexTrio #malware #tds #cybercrime #phishing #scam #threatintel #infoblox #infobloxthreatintel #infosec #cybersecurity #adtech

snackable 3/N on VexTrio and the WordPress hackers. This one's a bit geeky. One type of malware that led to VexTrio exclusively until late-Nov 2024 uses DNS TXT records to retrieve a redirection.

This is a tricky bugger and gives the malware actor an easy way to change things up if they are disrupted. The C2 domain (a DNS nameserver) isn't observed and the calls happen server side. The DNS TXT record malware was first observed by Sucuri/GoDaddy in 2023.

A compromised website makes a DNS TXT query that encodes the visitor's information and receives a redirection encoded in the response. When DNS queries to the C2 is blocked in the website's network, the visitor is protected -- we have had customers with compromised websites who still protected their users as we blocked the DNS query.

This malware is stubborn and is tricky to get rid of... there are also bots that come through regularly and update the compromised servers.

We used 4.5 million DNS queries over ~6 month period to understand how the C2 and redirect domains interrelated. What we found were two distinct clusters (this is the really geeky part) that indicate separate operations. Both use bulletproof hosting and/or Russian hosting, both were exclusively VexTrio, and both in late-November switched to the Help TDS. They used a few different paths to get to VexTrio's Los Pollos links.

One of these clusters had not been previously reported to our knowledge.

What you see in this image is a composite view. The C2 for each cluster are:
* data-cheklo[.]world, cndatalos[.]com, data-infox[.]com
* logs-web[.]com, airlogs[.]net, webdmonitor[.]io, cloudstats[.]net, etc.
webdmonitor[.]io is still active.

#dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #VexTrio #tds