{"id":7812,"date":"2022-06-06T00:02:24","date_gmt":"2022-06-06T07:02:24","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7812"},"modified":"2024-04-26T13:20:03","modified_gmt":"2024-04-26T20:20:03","slug":"executive-summary-vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/executive-summary-vextrio-ddga-domains-spread-adware-spyware-and-scam-web-forms\/","title":{"rendered":"Executive Summary: VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms"},"content":{"rendered":"

Author: Christopher Kim<\/strong><\/h3>\n

 <\/p>\n

Executive summary<\/strong><\/h3>\n

Since February 2022, Infoblox\u2019s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and impacts targets across many industries. From 1 to 12 May 2022, we detected more than 770,000 DNS queries to these domains, in approximately 50% of our cloud customer networks, across 24 industries. Based on the age of the domains, we judge that the threat actors have been conducting these campaigns for at least 13 months. For reporting and tracking purposes, we call this DDGA family and activity VexTrio.<\/p>\n

We are releasing a new Cyber Threat Advisory (CTA) today providing a comprehensive analysis of the actor\u2019s infrastructure and operations. This work is the result of in-depth analysis of DNS events, associated registration data, and the fraudulent content. Our paper details the attack chain and reveals a number of the techniques, tactics, and procedures (TTP) used by the actor, as well as impact on various industries. Additionally, we are releasing 38,000 domains and IPs related to Vextrio to our GitHub Repository for use by the security community.<\/p>\n

VexTrio actors heavily use domains and the DNS protocol to operate their campaigns. The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors. To accomplish this, they first detect websites that show cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins, then inject malicious JavaScript code into them. When victims visit these websites, they are led to a landing web page that hosts fraudulent content, via one or more intermediary redirect domains that are also controlled by the actors. Additionally, as a means to avoid detection, the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect:<\/p>\n