Some great work from Denis Sinegubko yesterday on a VexTrio affiliate who has been compromising websites for years. This is complex research coming in three parts and aligns with some of our own.

A few highlights for me...sprinkling in some of our Infoblox work:
* The DollyWorld actor is a VexTrio (specifically a Los Pollos) affiliate since 2016. Given that Los Pollos dates to 2015, this is an old partner.
* Around November 20th, 2024, Los Pollos announced to their customers they would stop push monetization. I've written a lot on push monetization as a source of lingering evil. Whatever caused this change, it disrupted their affiliates.
* DollyWorld actor and the DNS C2 TXT systems we have been tracking carefully (after all, it's DNS) both switched to Monetizer TDS at that point. Coincidence?
* I had originally used germannautica[.]com to get the VexTrio hook and then later was able to trigger participates[.]cfd (leads to Monetizer) through the same site.
* Where VexTrio was just scams, the new TDS pattern also gave me malware

Most importantly -- scams pay! These affiliate actors are running for years on compromised sites and constantly updating their techniques. Why else would they keep going?

#dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #vextrio

https://www.godaddy.com/resources/news/dollyway-world-domination

Survey says.. it's a scam! Here is the second in my blog series on the user experience of malicious adtech.

This time focusing on gift card and survey scams. Bad dudes create endless webs to entrap users and take advantage of people's hope for a better life.

Stealing money via scams ilke these is no different than via a phishing link.

#scam #threatintel #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #vextrio #tds #adtech

https://blogs.infoblox.com/threat-intelligence/survey-says-its-a-scam/

More malicious GitHub repos - this weekend there was one for Australia Day (Jan 26th). The pages in these repos load a malicious script that operates as a TDS -- the user will either be dropped to the decoy page or shown fake captchas and asked to allow push notifications.

I just saw a new one pop up for Chinese New Years -- I'm telling you these malicious #adtech guys have no targeting boundaries.

A few facts for the #threatintelligence folks:
* the repo contains over 13k single page websites like the one below
* accepting notifications on this one flooded my phone with porn, crypto scams, and fake news
* believe this is #vextrio or a close VexTrio affiliate in spite of the new cute image captcha
* not clear how the page lures are distributed but SEO poisoning has been seen in the past. we pick them up via #dns

Screen capture of the captcha and push notifications are here: https://imgur.com/a/ZEDJ8BK

australiaday[.]github[.]io
chinesenewyear[.]github[.]io
qggi[.]com
yto[.]pp[.]ua
xyc[.]pp[.]ua

#threatintel #malware #cybercrime #cybersecurity #infosec #infoblox #InfobloxThreatIntel @InfobloxThreatIntel

Have you ever wondered what happens if you say yes to every request to receive push notifications from sketchy websites?
For the past few months we have done exactly that, exposing an old phone to an endless barrage of scareware and malicious ads.
Find out more here: https://blogs.infoblox.com/threat-intelligence/pushed-down-the-rabbit-hole/

#dns #threatintel #adtech #adware #malware #scam #phishing #cybercrime #cybersecurity #vextrio #infoblox #infobloxthreatintel #malvertising #tds

Cricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years.

We talked about securing networks by blocking bad things in DNS and how our research group @InfobloxThreatIntel does that work. I talk a bit about malicious adtech like #VexTrio ....

This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks.

There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks.

#threatintel #dns #cybercrime #cybersecurity #infosec #infoblox #phishing #malware #malvertising

https://ask-mrdns.com/2025/01/episode-64/

Many malicious adtech companies offer what they call a "smartlink" to marketing affiliates. These affiliates publish the smartlink url on a website, an instagram post, and facebook ad, etc. and receive a commission based on some criteria of the adtech company.

But what is a smartlink really? You can think of it like this...

A Guy tells you he'll pay you to deliver packages. You can deliver them to anyone you want. Here's the catch: you only get paid if the recipient buys the contents AFTER they open it.

You don't know what's inside the packages, but the Guy gives you a hint by labeling it "mainstream", "dating", "gaming" etc. This way you can try to find people who are most likely to buy the content inside.

So you run all around town handing out packages, being super creative and decorating them so people will open the box.. and hoping they'll buy what's inside when they do. The Guy decides whats in the package and whether you get paid.

Sounds smart, right?

VexTrio's Los Pollos is one company that offers smartlinks, but there are many others, including Propeller Ads (via Monetag). Some call them direct links. For the technical folks - these links enter the user/victim into the traffic distribution system (TDS). These links are used to deliver everything from scams to malware.

VexTrio has several fake apps. Some of these have been downloaded over 10M times on the apps stores. Here's my sacrificial phone experience with one of them.

Spam Shield is a fake spam blocker. You'll get driven to it from push notifications but also from web searches. I've grabbed some video and images to share. The first thing i did was read the worst reviews on the Google Play store -- this told me exactly what the app did before I downloaded it. Here's how it works:
* This app gets permission to control your phones notifications. My phone warned this was a bad idea, but you only live once!
* Then it simply hides your real notifications. You can see this in the settings of the app.
* But in the UI it will show you all the spam and push notifications it is blocking as a "proof of value" --> these are all fake!
* exactly 24 hours later, your "protection" will turn off and you will be driven to a subscription model. Based on reviews, you'll have trouble stopping these subscription payments.

Video and some additional images at imgur. https://lnkd.in/gCuzHHU2

VexTrio will likely try to hide again. They've already moved this from HolaCode to ApLabz. You can help preserve history by grabbing their apps, screenshotting, sandboxing and sharing. Besides this app they have several more...

Lessons --- An app is not legit just because it is popular! Just like domains, popular apps (and domains) are often driven by malicious activity that is associated with the shady adtech industry. Read the worst reviews first.

Here is the app on Play:
hxxps://play.google[.]com/store/apps/details?id=com.spam.shield.spamblocker.notificationhistory

I'm about 10 weeks into a "user experience" experiment with #vextrio - starting with compromised sites and accepting all push notifications. I posted several of those already on the team account @InfobloxThreatIntel

VexTrio User Experience 5/N

Fake news is another consequences of VexTrio and similar actors. Qurium connected VexTrio to Russian disinformation in October.

In my sacrificial phone I've run into numerous "news" sites that are a complex mix of clickbait, ads, and disinformation. I think I have a pretty good BS detector, but I've found myself on fairly complex fact checking missions since I started this experience.

The other problem is once you visit a compromised website you are immediately thrown into a world where even the major news feed, say from Google, is filled with trash that wasn't there before. It's easy to see how people's beliefs can be manipulated simply by making the wrong click at the wrong time.

Most of the fake news or alarmist headlines I've seen came after visiting the initial infected website… meaning,
* I went to a compromised site,
* Was asked to accept push notifications,
* was redirected to something like a "your machine is infected" scareware,
* Had a polluted new feed and follow on push notifications with disinformation

I have had a few cases where the compromised site redirected immediately to a "news" site. These are filled with undated articles that can be difficult to fact check. Here's a few images from a recent one.
* Did Putin say he couldn't win the war? I doubt it.
* Is the US going to cancel the $20 and $50 bills. Nope. That was easy to check.

#dns #infoblox #threatintel #cybercrime #fakenews #cybersecurity #adtech #adware #infosec

VexTrio User Experience 5/N
 
So what next? Shall we do fake apps? 100% of these experiences come from starting with a compromised site and just allowing all notifications and permissions that are requested.  This one came from a notification that the phone needed to be cleaned and it recommended download the app Antivirus toolkit from the Google Play store. What could go wrong? There are over 1M downloads!  This scareware fake app was delivered via Monetizer; see the imgur link.
 
Then read the reviews. Like the other fake apps in this genre it doesn't do anything except show ads and gain access to your personal information. We'll share some of the other fake apps in a different post; some of them are quite giggle producing. But unfortunately, they work - people are scammed out of tons of money through these jerks.
 
Once installed, the app tells you that your browser is compromised, and you need to install a secure browser -- another one on the Google store with lots of downloads and seemingly good reviews. But finding the real reviews shows the same behavior… lots of ads and access to personal data.
 
I haven't tried to do any sandboxing or reverse engineering of these apps that the VexTrio affiliates are recommending; I'm just getting the full user experience.
 
In the meantime, the Antivirus Toolkit continues to push notifications including that is has instaled (sic) and uninstaled (sic) Chrome for me.

video of the virus app is here. only defanged as i maxed the image load for mastodon.
https://imgur[.]com/a/bxPEyhB
 
#dns #threatintel #fakeapp #scam #scareware #phishing #vextrio #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

VexTrio User Experience 4/N

@knitcode decided it was time to get crypto-scammed by VexTrio.....here's the story...

Unfortunately, when i got to the final scam to steal my funds i landed at a page that unavailable.. so my money wasn't stolen. I did capture 16 minutes of screen recording while they mined my device and tried to interact with their fake online users, so that was fun. Imgur won't let me load that long of a video so I've got screenshots to the highlights.

Here's how the scam works:
* Somehow you end up visiting a VexTrio crypto scam domain. Since we track their movements, I just collected one from our detectors.
* You get a "welcome back" with some amazing bitcoin balance.. mine was $113k! and a continue button... if you click that...
* You get a threatening "your account will be deleted in one day" for inactivity, but you have the option to log in now! excellent. click.
* but what about the password? No problem. the site has remembered your password for you. ;)
* When you login, you are asked if you want to withdraw your funds. Of course!
* It's been 364 days since you were here, so the site needs to "verify" each of your mining transactions. It takes about 10 minutes to do this while it seemingly mines your device. ;)
* users are "chatting" away talking about ethics and mining strategies. you can add comments but they won't answer you.
* Finally you get the chance to withdraw your funds... first you have to get approval from your account manager and fill out a withdrawal form. .. she doesn't have a record of you, but that's ok. you are approved to withdraw $113k.
* You need to give a credit card or paypal account in order to pay their "official" partner Binance to do the conversion. what is $64 fee for $113k? ! sign me up!
* Click the final button to pay Binance and receive your payout.... unfortunately, for me this is where I hit the oops can't display... after 16 minutes! peqemynite[.]top was not working.
* This domain was previously behind cloudflare caching but starting Nov 11th, it started resolving as Russian IP in Prospero (which interestingly shared IP with keitarotds[.]top) and then Unitel also Russia. So that's fun.
* To recap... VexTrio domain -> cryptoscam -> Binance fraud -> Russian IP.

Attached are screenshots. i have a few urlscan images of this too but the process takes so long that getting the full user experience is hard.

here's some more IOCs. There are bunch of domains on: 91.212.166[.]95. I started at globalminingbit[.]top (after the TDS) and ended at peqemynite[.]top. Here's some current domains: qegymiewo[.]top,ditosoydi[.]top,keziryevo[.]top,xujodyaza[.]top,vupahoawy[.]top,rycozaaqi[.]top,zupahayja[.]top,mafaweewa[.]top,pesaraafy[.]top.
globalminingbit[.]top is also out of the CF cover now and at Proton66 (also Russia) 193.143.1(.)195

A few weeks ago, @knitcode started running a "user experience" study of VexTrio -- the long running malicious traffic distribution system (TDS) / malvertiser / scammers / cybercriminals -- by visiting a VexTrio compromised website from a clean Pixel 2 phone and seeing what happened over time. The idea being that you really can't get the picture from sandboxes and scanners of the true user experience. These are posted on LinkedIn and we're going to replay them here. Hopefully folks find them useful.

We've learnt a lot about VexTrio over the last few months after tracking them for the last three years. Stay Tuned. :)

We start with a simple a/v scam. there are tons of these. They recommend you download the best spam app at clicktolead[.]info.

We've wondered for years who VexTrio might really be... now researchers at Qurium have found a connection between Dopplegänger, VexTrio, and European companies... we're digging in.. stay tuned. #dns #threatintel #cybercrime #cybersecurity #infosec #vextrio #infobloxthreatintel https://www.qurium.org/alerts/russia/exposing-the-evil-empire-of-doppelganger-disinformation/

This attack is unbelievably powerful, easy, and preventable. It’s the criminal’s best kept secret. Much stealthier and more effective than dangling CNAMEs. We found many Russian-nexus actors, but we suspect there are more to be found. Please boost for awareness and hope we aren’t rediscovering this attack in another 6 years. Thanks to everyone contributed to our understanding of the attack and the actors using it … including Proofpoint, @rmceoin Dave Safely, Mandatory, and @briankrebs @dnsoarc #sittingducks #dns #domainhijacking #cybercrime #cybersecurity #infosec #threatintel #malware #phishing #tds #vextrio #404tds #threatintelligence #infoblox @knitcode https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/

Sometimes people ask us to remove a domain from our blocklists that are part of a malicious traffic distribution system (TDS) because they "visited the url" and didn't get malware. This is like saying "I walked past the armed robber and didn't get robbed." Count yourself lucky. Say no to TDS. #dns #threatintel #cybercrime #malware #phishing #scam #infoblox #cybersecurity #infosec #tds #vextrio #socgholish #clearfake #404tds #adware

VexTrio changed up their DNS traffic distribution system (TDS) to use server side scripting. The C2 domain airlogs[.]net is used this way. https://blogs.infoblox.com/threat-intelligence/vextrio-viper-adds-a-new-dns-tds-domain/

#dns #malware #phishing #cybercrime #tds #cybersecurity #vextrio #infosec #InfobloxThreatIntel #Infoblox

#vextrio for the win (again)! Whenever an article has the phrase "series of redirects" it is a TDS... and most of the time it will be VexTrio. A few weeks ago @briankrebs stumbled on them, and now Bleeping Computer. They are obviously going strong still @rmceoin @gentleshep in spite of exposure. No surprise. Check out urlscan for the TDS details. #dns #cybercrime #infosec #cybersecurity #threatintel #phishing #malware #tds #scam @BleepingComputer https://www.bleepingcomputer.com/news/google/googles-new-ai-search-results-promotes-sites-pushing-malware-scams

https://urlscan.io/result/d1d59c5f-b11e-4e31-8e73-89ae02bc47b8/
https://urlscan.io/result/99f03a78-22cd-4213-9261-f66a69ae09dd/

VexTrio is one of the longest operating cybercriminal actors around and their traffic distribution system (TDS) is one of a kind. We hosted a live discussion with @gentleshep who discovered them and @rmceoin who connected them to other notorious malware families in January. If you didn't see it, take a listen. #dns #malware #VexTrio #cybercrime #cybersecurity #infosec #phishing #scam #infoblox https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/

Great reporting from Sucuri yesterday about a VexTrio affiliate. Love seeing how the community is able to build off of each other's research! Articles like this highlight the importance of sharing findings with a wider audience. We can all learn from each other!

https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html
#dns #threatintel #vextrio