{"id":7801,"date":"2022-06-06T00:01:57","date_gmt":"2022-06-06T07:01:57","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7801"},"modified":"2024-04-26T13:20:04","modified_gmt":"2024-04-26T20:20:04","slug":"vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/","title":{"rendered":"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms"},"content":{"rendered":"<h3><strong>Author: Christopher Kim<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3><strong>1. Executive summary<\/strong><\/h3>\n<p>Since February 2022, Infoblox\u2019s Threat Intelligence Group has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and impacts targets across many industries. From 1 to 12 May 2022, we detected more than 770,000 DNS queries to these domains, in approximately 50% of our cloud customer networks, across 24 industries. Based on the age of the domains, we judge that the threat actors have been conducting these campaigns for at least 13 months. For reporting and tracking purposes, we call this DDGA family and activity VexTrio.<\/p>\n<p>This comprehensive report details the VexTrio DDGA, associated fraudulent content, and highlights how malicious actors can take advantage of cheap, private domain registrations to create complex attack infrastructure that can remain undetected for a long time. We analyzed the entire attack chain, identified detection deterrents employed by the actors, and created analytics to identify new domains as they emerge.<\/p>\n<p>VexTrio actors heavily use domains and the DNS protocol to operate their campaigns. The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors. To accomplish this, they first detect websites that show cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins, then inject malicious JavaScript code into them. When victims visit these websites, they are led to a landing web page that hosts fraudulent content, via one or more intermediary redirect domains that are also controlled by the actors. Additionally, as a means to avoid detection, the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect:<\/p>\n<ol>\n<li>The user must visit the WordPress website from a search engine. For example, the referrer URL can be <em>https:\/\/www.google.com\/<\/em>.<\/li>\n<li>Cookies are enabled in the user\u2019s web browser.<\/li>\n<li>The user has not visited a VexTrio compromised web page in the past 24 hours.<\/li>\n<\/ol>\n<p>The network infrastructure that supports the campaigns is stable, although it continually adds new domains, and the actors have been using it, including its IPs and nameservers, for over a year. VexTrio actors use a relatively small number of fraudulent redirect domains in their campaigns to conditionally lead victims to landing web pages that use DDGA domains. In some cases, we\u2019ve observed the DDGA domain act as an intermediary redirect, or pass the victim onto a decoy landing page if they didn\u2019t fit their profile. The naming convention of the DDGA domains has also been consistent: it shows three words delimited with a hyphen or not delimited at all. So far, we have observed the following naming formats across all second-level domains:<\/p>\n<ul>\n<li><em>{firstword}{secondword}{thirdword}.tld<\/em><\/li>\n<li><em>{firstword}{secondword}-{thirdword}.tld<\/em><\/li>\n<li><em>{firstword}-{secondword}-{thirdword}.tld<\/em><\/li>\n<\/ul>\n<p>By analyzing all of the VexTrio DDGA domains we\u2019ve discovered so far, we were able to determine the dictionary that VexTrio uses to generate DDGA domains. We have developed analytics to detect multiple components of the attack chain: compromised WordPress websites, intermediary fraudulent redirect domains, and DDGA domains. To disrupt customer DNS queries to the VexTrio components, we append relevant network indicators to Infoblox DNS response policy zone (RPZ) feeds.<\/p>\n<h3><strong>2. VexTrio Infrastructure and Operation<\/strong><\/h3>\n<p>VexTrio actors inject malicious JavaScript code into vulnerable WordPress websites, which then redirects visitors to potentially harmful content. The visitors go through a redirect chain that involves fraudulent domains whose purpose is to track victims and conditionally send them to landing webpages that serve riskware, spyware, adware, scams, pornographic images, or other unwanted programs.<\/p>\n<p>The scripts involved in the attack add key-value pairs to the local storage of a visitor\u2019s web browser, and this allows the key-value pairs to persist until the visitor manually clears the browser data. The actors use this information to redirect only first-time visitors: that is, users who have not visited the site within the past 24 hours.<\/p>\n<p>The network infrastructure that supports the campaigns is stable, and the actors have been using it, including its IPs and nameservers, for over a year. The naming convention of the DDGA domains has also been consistent: it shows three words delimited with a hyphen or not delimited at all.<\/p>\n<p>We detect multiple components of the attack chain: compromised WordPress websites, intermediary fraudulent redirect domains, and DDGA domains. To disrupt customer DNS queries to the VexTrio components, we append relevant network indicators to Infoblox response policy zone (RPZ) feeds.<\/p>\n<h3><strong>2.1. Attack Chain<\/strong><\/h3>\n<p>At this time, we are uncertain how the actors find and initially compromise the WordPress websites. However, of the myriad methods available for probing vulnerable WordPress websites, cyber criminals typically perform Google dorking and open source scanning.<sup>1,2<\/sup> Google dorking (aka Google hacking) refers to techniques that involve advanced Google search operators to find specific and vulnerable online assets that an attacker can exploit.<sup>3<\/sup> Alternatively, attackers have access to a plethora of WordPress scanning tools, including open source, that allows them to scan a list of urls and enumerate installed WordPress plugins.<sup>4<\/sup><\/p>\n<p>When victims visit a WordPress website injected with malicious JavaScript code, the script redirects them to one or more intermediary fraudulent domains. The purpose of these domains is to record information about the victims, including the referrer URL, search-engine keywords, compromised WordPress website, and geolocation. The script then redirects the victims to a landing page that hosts fraudulent content.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7802\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/a-typical-vextrio-attack.png\" alt=\"\" width=\"716\" height=\"639\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/a-typical-vextrio-attack.png 716w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/a-typical-vextrio-attack-300x268.png 300w\" sizes=\"auto, (max-width: 716px) 100vw, 716px\" \/><br \/>\n<strong>Figure 1: A typical VexTrio attack<\/strong><\/p>\n<h3><strong>2.2. Compromised WordPress websites<\/strong><\/h3>\n<p>Actors locate vulnerable WordPress websites by using Google dorking, crawling, scanning, and other methods. Usually, the actors exploit cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins, then inject malicious JavaScript code into the website.<\/p>\n<p>For example, on 17 May, an Infoblox customer visited a WordPress website injected with a malicious JavaScript. The script led the victim through a redirect chain that involved fraudulent domains, and it triggered the redirect only after certain conditions were satisfied:<\/p>\n<ul>\n<li>The user must visit the WordPress website from a search engine. For example, the referrer URL can be <em>https:\/\/www.google.com\/<\/em>.<\/li>\n<li>Cookies are enabled in the user\u2019s web browser.<\/li>\n<li>The user has not visited a VexTrio compromised web page in the past 24 hours. This is most likely a tactic used to reduce attention and possibility of detection by security teams.<\/li>\n<\/ul>\n<p>We replicated these conditions by using the cURL command-line tool. The command in Figure 2 uses the Google search engine address for the URL referrer and bypasses the cookie requirement by specifying a User Agent string. The command returns the malicious JavaScript redirect code shown in Figure 3.<\/p>\n<table width=\"672\">\n<tbody>\n<tr>\n<td width=\"672\"><em>curl -o compromised_website.html http:\/\/compromised_website\/ -H &#8216;Referrer: https:\/\/www.google.com\/&#8217; -A &#8220;Mozilla\/5.(compatible;\u00a0 MSIE 7.01; Windows NT 5.0)&#8221;<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Figure 2: cURL command for triggering a redirect<\/strong><\/p>\n<p>The following JavaScript code checks the aforementioned conditions and then instructs the client\u2019s web browser to load a script directly from one of the intermediary fraudulent domains. In this case, the external script is located at <em>hXXps:\/\/burnihhell[.]live\/vKWM7L<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7804\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/javascript-redirect-code.png\" alt=\"\" width=\"672\" height=\"468\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/javascript-redirect-code.png 672w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/javascript-redirect-code-300x209.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><br \/>\n<strong>Figure 3. JavaScript redirect code<\/strong><\/p>\n<h3><strong>2.3. Intermediary redirects<\/strong><\/h3>\n<p>There can be more than one intermediary fraudulent domain involved in a redirect chain. Typically, the last redirect domain sends victims to a landing page on the DDGA domain. In some cases, DDGA domains themselves operate as intermediary redirects. In the example shown in Figure 3, the script that loaded directly from <em>burnihhell[.]live<\/em> redirected the victim to the second redirect domain, <em>get-the-prize-ht2[.]live<\/em>. Figure 4 below shows an HTML code snippet of the second domain that contained a JavaScript function, which sent the victim to the DDGA domain <em>cthjrl[.]senseagreepaper[.]xyz<\/em>. The subdomain name (e.g. <em>cthjrl<\/em>) is always 6 characters long, contains english alphabet letters, and generated randomly.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7805\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/code-snippet-of-a-redirect-to-a-ddga-domain.png\" alt=\"\" width=\"533\" height=\"152\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/code-snippet-of-a-redirect-to-a-ddga-domain.png 533w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/code-snippet-of-a-redirect-to-a-ddga-domain-300x86.png 300w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><br \/>\n<strong>Figure 4: Code snippet of a redirect to a DDGA domain<\/strong><\/p>\n<h3><strong>2.4. Characteristics of DDGA domains<\/strong><\/h3>\n<p>On average, we detect almost 200 unique VexTrio DDGA domains daily. Almost every one of the domains resolved to an IP address at the time of detection, which is atypical of how threat actors have used DGAs historically. The names of VexTrio DDGA domains follow a specific format and consist of three English words with or without hyphens between them. So far, we have observed the following naming formats across all second-level domains:<\/p>\n<ul>\n<li><em>{firstword}{secondword}{thirdword}.tld<\/em><\/li>\n<li><em>{firstword}{secondword}-{thirdword}.tld<\/em><\/li>\n<li><em>{firstword}-{secondword}-{thirdword}.tld<\/em><\/li>\n<\/ul>\n<p>In aggregate, we discovered nearly 1,000 words across more than 30,000 names of DDGA domains. Figure 5 is a density histogram that describes the relative probability that a word will be re-used \u2018x\u2019 times in the VexTrio dictionary. Each word is reused an average of 106 times. The 10 words that showed the highest frequency of use are <em>somebody <\/em>(142)<em>, body<\/em> (139)<em>, beauty <\/em>(138)<em>, once <\/em>(138)<em>, large <\/em>(138)<em>, girl <\/em>(138)<em>, clear <\/em>(138)<em>, get <\/em>(135)<em>, fine <\/em>(134)<em>, <\/em>and <em>question <\/em>(133).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7806\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/reuse-of-words-in-the-names-of-ddga-domains-by-count.png\" alt=\"\" width=\"714\" height=\"279\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/reuse-of-words-in-the-names-of-ddga-domains-by-count.png 714w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/reuse-of-words-in-the-names-of-ddga-domains-by-count-300x117.png 300w\" sizes=\"auto, (max-width: 714px) 100vw, 714px\" \/><br \/>\n<strong>Figure 5: Reuse of words in the names of DDGA domains by count<\/strong><\/p>\n<p>VexTrio actors do not register redirect domains as frequently as domains created by the DDGA. They create them in smaller batches periodically throughout the year, according to DNS registration records. Their DNS configuration, including A records and nameservers show minimal change during their lifetime. The actors operate these domains for months or sometimes over a year, and they modify the malicious scripts used by these domains for redirecting traffic to newly registered DDGA domains. As represented in Figure 6 below, we observed the presence of many redirect domains for at least 10 days across multiple customers and a large number of unique devices.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7807\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/lengths-of-time-sample-redirect-domains-were-used.png\" alt=\"\" width=\"727\" height=\"386\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lengths-of-time-sample-redirect-domains-were-used.png 727w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lengths-of-time-sample-redirect-domains-were-used-300x159.png 300w\" sizes=\"auto, (max-width: 727px) 100vw, 727px\" \/><br \/>\n<strong>Figure 6: Lengths of time sample redirect domains were used<\/strong><\/p>\n<h3><strong>2.5. Network behavior<\/strong><\/h3>\n<p>The redirect chain typically lasts a few seconds: the time interval starts when the victim visits the compromised WordPress website and ends when the victim reaches the website that uses a domain generated by the DDGA. In some cases, the victim waits over 10 seconds before reaching the destination landing page. This usually happens when the redirect chain involves additional intermediary domains. Figure 7 lays out an example of an extended redirect chain from a customer device interacting with one of the compromised WordPress sites. In this example, the landing page is the Google Play Store website; we suspect the victim did not meet the actors\u2019 criteria and instead got served a decoy page to avoid suspicion.<\/p>\n<table>\n<tbody>\n<tr>\n<td><b>protocol<\/b><\/td>\n<td><b>type<\/b><\/td>\n<td><b>qname<\/b><\/td>\n<td><b>timestamp<\/b><\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>query<\/td>\n<td>&lt;compromised website&gt;<\/td>\n<td>1652799272<\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>query<\/td>\n<td>burnihhell[.]live<\/td>\n<td>1652799273<\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>query<\/td>\n<td>get-the-prize-ht2[.]live<\/td>\n<td>1652799273<\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>query<\/td>\n<td>cthjrl[.]senseagreepaper[.]xyz<\/td>\n<td>1652799274<\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>query<\/td>\n<td>genericstorageplace[.]com<\/td>\n<td>1652799276<\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>query<\/td>\n<td>play[.]google[.]com<\/td>\n<td>1652799286<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Figure 7: DNS traffic capture<\/strong><\/p>\n<p>From 1 to 12 May, 99% of Infoblox cloud customer devices that we know reached VexTrio DDGA domains, did so for just one day. This demonstrates the effectiveness of VexTrio&#8217;s anti-detection capabilities, which allow it to redirect only first-time visitors. To determine whether any malicious content was served to the client, security defenders should analyze network events that occur after the DDGA DNS query.<\/p>\n<h3><strong>3. Impact on industries<\/strong><\/h3>\n<p>During the timeframe of our analysis, VexTrio affected Infoblox customers across 24 industries globally; the most heavily affected industry that we observed was \u201cgovernment.\u201d Other industries of note included information technology and related consulting, as well as education, healthcare, and financial services.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7808\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/the-number-of-organizations-affected-across-industries.png\" alt=\"\" width=\"726\" height=\"290\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/the-number-of-organizations-affected-across-industries.png 726w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/the-number-of-organizations-affected-across-industries-300x120.png 300w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><br \/>\n<strong>Figure 8: The number of organizations affected across industries<\/strong><\/p>\n<h3><strong>4. Prevention and mitigation<\/strong><\/h3>\n<p>VexTrio primarily abuses vulnerable WordPress websites to deliver unwanted content to visitors. Embedding malicious JavaScript code in oft-visited web blogs and other popular but vulnerable websites helps the actors widen their reach. We assess the VexTrio DDGA campaign could serve as a delivery vector for other cybercrime syndicates and thereby enabling follow-on attacks. We recommend the following actions for protection from this kind of an attack:<\/p>\n<ul>\n<li>Disabling JavaScript on web browsers completely, or enabling it only for trusted sites, can help mitigate attacks employed by VexTrio actors, who capitalize on the use of JavaScript to run their tasks.<\/li>\n<li>Consider using an adblocker program to block certain malware activated by popup ads. Along with an adblocker, consider using the web extension NoScript, which allows JavaScript and other potentially harmful content to execute only from trusted sites to reduce the attack surface available to actors<\/li>\n<li>Implementing Infoblox\u2019s RPZ feeds in firewalls can stop the connection by actors at the DNS level, as all components described in this report (compromised websites, intermediary redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox\u2019s RPZ feeds.<sup>5<\/sup><\/li>\n<li>Leveraging Infoblox\u2019s Threat Insight service, which performs real-time streaming analytics on live DNS queries can provide high-security coverage and protection against threats that are based on DGA as well as DDGA.<sup>6<\/sup><\/li>\n<\/ul>\n<h3><strong>5. Indicators of compromise<\/strong><\/h3>\n<p>We will continue to track compromised WordPress websites, intermediary redirect domains, DDGA domains, IP addresses, and malicious nameservers related to the VexTrio activity. The table below provides a sample list of the IOCs relevant to our recent findings. The complete list as of the time of this paper are found in our GitHub repository.<sup>7<\/sup><\/p>\n<p>&nbsp;<\/p>\n<table width=\"672\">\n<tbody>\n<tr>\n<td width=\"452\"><strong>Indicator<\/strong><\/td>\n<td width=\"220\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"452\">burnihhell[.]live<\/p>\n<p>get-the-prize-ht1[.]live<\/p>\n<p>get-the-prize-ht2[.]live<\/p>\n<p>get-the-prize-ht3[.]live<\/p>\n<p>get-the-prize-ht4[.]live<\/p>\n<p>get-the-prize-ht5[.]live<\/p>\n<p>get-the-prize-ht6[.]live<\/p>\n<p>get-the-prize-ht7[.]live<\/p>\n<p>get-the-prize-ht8[.]live<\/p>\n<p>get-the-prize-ht9[.]live<\/p>\n<p>prize-of-1win[.]live<\/p>\n<p>prize-of-2win[.]live<\/p>\n<p>prize-of-3win[.]live<\/p>\n<p>prize-of-4win[.]live<\/p>\n<p>prize-of-5win[.]live<\/p>\n<p>prize-of-6win[.]live<\/p>\n<p>prize-of-7win[.]live<\/p>\n<p>prize-of-8win[.]live<\/p>\n<p>prize-of-9win[.]live<\/p>\n<p>winner-g2sf[.]live<\/p>\n<p>winner-g3sf[.]live<\/p>\n<p>winner-g4sf[.]live<\/p>\n<p>winner-g5sf[.]live<\/p>\n<p>winner-g6sf[.]live<\/p>\n<p>winner-g7sf[.]live<\/p>\n<p>winner-g8sf[.]live<\/p>\n<p>winner-g9sf[.]live<\/p>\n<p>xmas-prize-p1z[.]live<\/p>\n<p>xmas-prize-p2z[.]live<\/p>\n<p>xmas-prize-p3z[.]live<\/p>\n<p>xmas-prize-p4z[.]live<\/p>\n<p>xmas-prize-p5z[.]live<\/p>\n<p>xmas-prize-p6z[.]live<\/p>\n<p>xmas-prize-p7z[.]live<\/p>\n<p>xmas-prize-p8z[.]live<\/p>\n<p>xmas-prize-p9z[.]live<\/p>\n<p>genericrockstorage[.]com<\/p>\n<p>genericstorageplace[.]com<\/p>\n<p>rockstorageplace[.]com<\/p>\n<p>universalrock-storage[.]com<\/td>\n<td width=\"220\">Intermediary redirect domains<\/td>\n<\/tr>\n<tr>\n<td width=\"452\">149[.]248[.]3[.]79<\/p>\n<p>5[.]101[.]47[.]158<\/p>\n<p>5[.]188[.]178[.]158<\/p>\n<p>5[.]188[.]51[.]87<\/p>\n<p>5[.]45[.]71[.]227<\/p>\n<p>5[.]8[.]47[.]3<\/p>\n<p>5[.]8[.]47[.]52<\/td>\n<td width=\"220\">Intermediary redirect IP addresses<\/td>\n<\/tr>\n<tr>\n<td width=\"452\">ablearewild[.]xyz<\/p>\n<p>aboutoildesign[.]xyz<\/p>\n<p>aboveheldtouch[.]xyz<\/p>\n<p>actspokemethod[.]xyz<\/p>\n<p>afraidgrayanswer[.]xyz<\/p>\n<p>afraidordersky[.]xyz<\/p>\n<p>againstmostborn[.]xyz<\/p>\n<p>againstsegmentyellow[.]xyz<\/p>\n<p>againstsongparticular[.]xyz<\/p>\n<p>ageninewear[.]xyz<\/p>\n<p>agreefactnation[.]xyz<\/p>\n<p>agreefacttype[.]xyz<\/p>\n<p>agreespeechfollow[.]xyz<\/p>\n<p>airopengo[.]xyz<\/p>\n<p>airpathinch[.]xyz<\/p>\n<p>allowcertainstone[.]xyz<\/p>\n<p>allowdivisionwood[.]xyz<\/p>\n<p>allowspeednature[.]xyz<\/p>\n<p>allowthoughtpush[.]xyz<\/p>\n<p>aloneflybox[.]xyz<\/p>\n<p>aloneyoungour[.]xyz<\/p>\n<p>alwaysgraystory[.]xyz<\/p>\n<p>alwaysmenfair[.]xyz<\/p>\n<p>alwaysothermillion[.]xyz<\/p>\n<p>alwaystogetherconsonant[.]xyz<\/p>\n<p>amdangeroccur[.]xyz<\/p>\n<p>amongcitylearn[.]xyz<\/p>\n<p>amongconditionas[.]xyz<\/p>\n<p>andfighttotal[.]xyz<\/p>\n<p>angerfeeltouch[.]xyz<\/p>\n<p>animalcreatemen[.]xyz<\/p>\n<p>animallinesection[.]xyz<\/p>\n<p>animalsongcold[.]xyz<\/p>\n<p>anroadship[.]xyz<\/p>\n<p>anysetcenter[.]xyz<\/p>\n<p>appearnumeralsubstance[.]xyz<\/p>\n<p>appearstraightself[.]xyz<\/p>\n<p>appearweregirl[.]xyz<\/p>\n<p>appleangertree[.]xyz<\/p>\n<p>appletemperatureright[.]xyz<\/p>\n<p>arefinalwear[.]xyz<\/p>\n<p>aresilenthouse[.]xyz<\/p>\n<p>arevowelwire[.]xyz<\/p>\n<p>armdryhappy[.]xyz<\/p>\n<p>armnosecity[.]xyz<\/p>\n<p>arrivedeathfind[.]xyz<\/p>\n<p>artclassmean[.]xyz<\/p>\n<p>artofanger[.]xyz<\/p>\n<p>ascurrentonce[.]xyz<\/p>\n<p>askstickamong[.]xyz<\/td>\n<td width=\"220\">DDGA domains<\/td>\n<\/tr>\n<tr>\n<td width=\"452\">5[.]101[.]37[.]10<\/p>\n<p>5[.]101[.]37[.]11<\/p>\n<p>5[.]101[.]37[.]12<\/p>\n<p>5[.]101[.]37[.]13<\/p>\n<p>5[.]101[.]37[.]14<\/p>\n<p>5[.]101[.]37[.]15<\/p>\n<p>5[.]101[.]37[.]16<\/p>\n<p>5[.]101[.]37[.]17<\/p>\n<p>5[.]101[.]37[.]3<\/p>\n<p>5[.]101[.]37[.]4<\/p>\n<p>5[.]101[.]37[.]5<\/p>\n<p>5[.]101[.]37[.]6<\/p>\n<p>5[.]101[.]37[.]7<\/p>\n<p>5[.]101[.]37[.]8<\/p>\n<p>5[.]101[.]37[.]9<\/td>\n<td width=\"220\">DDGA IP addresses<\/td>\n<\/tr>\n<tr>\n<td width=\"452\">ns1[.]dnstechnoprovider[.]com<\/p>\n<p>ns2[.]dnstechnoprovider[.]com<\/p>\n<p>ns2[.]plaindnsprovider[.]com<\/p>\n<p>ns1[.]plaindnsprovider[.]com<\/p>\n<p>ns2[.]supersonicdns[.]com<\/p>\n<p>ns1[.]supersonicdns[.]com<\/p>\n<p>ns1[.]clevercloudns[.]com<\/p>\n<p>ns2[.]clevercloudns[.]com<\/p>\n<p>ns1[.]lopoloda[.]xyz<\/p>\n<p>ns2[.]lopoloda[.]xyz<\/p>\n<p>ns1[.]fastthinkingdns[.]com<\/p>\n<p>ns2[.]fastthinkingdns[.]com<\/p>\n<p>ns1[.]famouscloudcaptain[.]com<\/p>\n<p>ns2[.]famouscloudcaptain[.]com<\/td>\n<td width=\"220\">VexTrio nameservers<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/patchstack.com\/articles\/wordpress-sensitive-information-leakage\" target=\"_blank\" rel=\"noopener\">https:\/\/patchstack.com\/articles\/wordpress-sensitive-information-leakage<\/a>\/<\/li>\n<li><a href=\"https:\/\/secure.wphackedhelp.com\/blog\/wordpress-security-scanner\/\" target=\"_blank\" rel=\"noopener\">https:\/\/secure.wphackedhelp.com\/blog\/wordpress-security-scanner\/<\/a><\/li>\n<li><a href=\"https:\/\/developers.google.com\/search\/docs\/advanced\/debug\/search-operators\/overview\" target=\"_blank\" rel=\"noopener\">https:\/\/developers.google.com\/search\/docs\/advanced\/debug\/search-operators\/overview<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/wpscanteam\/wpscan\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/wpscanteam\/wpscan<\/a><\/li>\n<li><a href=\"https:\/\/community.infoblox.com\/t5\/infoblox-tide-solution\/custom-rpz-feeds-from-infoblox-tide\/gpm-p\/14027\" target=\"_blank\" rel=\"noopener\">https:\/\/community.infoblox.com\/t5\/infoblox-tide-solution\/custom-rpz-feeds-from-infoblox-tide\/gpm-p\/14027<\/a><\/li>\n<li><a href=\"https:\/\/www.infoblox.com\/wp-content\/uploads\/infoblox-datasheet-threat-insight.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.infoblox.com\/wp-content\/uploads\/infoblox-datasheet-threat-insight.pdf<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\/tree\/main\/cta_indicators\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/infobloxopen\/threat-intelligence\/tree\/main\/cta_indicators<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Christopher Kim &nbsp; 1. Executive summary Since February 2022, Infoblox\u2019s Threat Intelligence Group has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and impacts targets across many industries. From [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":7818,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[360,381,709,527,701],"class_list":{"0":"post-7801","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-dns-security","9":"tag-exploit","10":"tag-vextrio","11":"tag-vulnerability","12":"tag-zerologon","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>VexTrio DDGA Domains Observed Spreading Adware, Spyware, and Scam Web Forms | Infoblox<\/title>\n<meta name=\"description\" content=\"The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time. Learn about it in this comprehensive report.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms\" \/>\n<meta property=\"og:description\" content=\"The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time. Learn about it in this comprehensive report.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-06T07:01:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms\",\"datePublished\":\"2022-06-06T07:01:57+00:00\",\"dateModified\":\"2024-04-26T20:20:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/\"},\"wordCount\":2433,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg\",\"keywords\":[\"DNS Security\",\"exploit\",\"VexTrio\",\"vulnerability\",\"zerologon\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/\",\"name\":\"VexTrio DDGA Domains Observed Spreading Adware, Spyware, and Scam Web Forms | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg\",\"datePublished\":\"2022-06-06T07:01:57+00:00\",\"dateModified\":\"2024-04-26T20:20:04+00:00\",\"description\":\"The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time. Learn about it in this comprehensive report.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg\",\"width\":612,\"height\":408,\"caption\":\"Hackers using laptop computers to penetrate security systems to steal big data from the server room\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-threat-advisory\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"VexTrio DDGA Domains Observed Spreading Adware, Spyware, and Scam Web Forms | Infoblox","description":"The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time. Learn about it in this comprehensive report.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/","og_locale":"en_US","og_type":"article","og_title":"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms","og_description":"The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time. Learn about it in this comprehensive report.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/","og_site_name":"Infoblox Blog","article_published_time":"2022-06-06T07:01:57+00:00","article_modified_time":"2024-04-26T20:20:04+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms","datePublished":"2022-06-06T07:01:57+00:00","dateModified":"2024-04-26T20:20:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/"},"wordCount":2433,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg","keywords":["DNS Security","exploit","VexTrio","vulnerability","zerologon"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/","name":"VexTrio DDGA Domains Observed Spreading Adware, Spyware, and Scam Web Forms | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg","datePublished":"2022-06-06T07:01:57+00:00","dateModified":"2024-04-26T20:20:04+00:00","description":"The VexTrio DDGA is being used by malicious actors who take advantage of cheap, private domain registrations to create complex attack infrastructure that remain undetected for a long time. Learn about it in this comprehensive report.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms.jpg","width":612,"height":408,"caption":"Hackers using laptop computers to penetrate security systems to steal big data from the server room"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-threat-advisory\/"},{"@type":"ListItem","position":4,"name":"VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=7801"}],"version-history":[{"count":2,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7801\/revisions"}],"predecessor-version":[{"id":7811,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7801\/revisions\/7811"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/7818"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=7801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=7801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=7801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}