mastouille.fr est l'un des nombreux serveurs Mastodon indépendants que vous pouvez utiliser pour participer au fédiverse.
Mastouille est une instance Mastodon durable, ouverte, et hébergée en France.

Administré par :

Statistiques du serveur :

583
comptes actifs

#vextrio

0 message0 participant0 message aujourd’hui

Tens of thousands of compromised websites use DNS TXT records to conditionally redirect visitors to malicious content. For years, this exclusively redirected to VexTrio TDS - but in late-November 2024, it changed. But did it? We think not.

A couple of major takeaways from the research we released in June and what we've continued to learn since then:

* DNS is being used very successfully to drive innocent people to malware and scams, including alarming tech support scams

* These can be stopped by blocking the DNS query but it must be done at the website server side not the visitor

* VexTrio is tight not just with malware actors who hack sites and drive traffic to them, but they appear to be one and the same, or at least closely related, to infamous TDS and a multitude of other "adtech" platforms.

* reviewing old literature carefully connects VexTrio via shared software with ROI777

we're going to throw up more "snackables" before heading to Vegas. If you want to see the faces behind VexTrio and hear their origin story, come see our talk or track us down at the booth.

The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering.

VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.

Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both!

There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more.

We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.

Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere.

#threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam

blogs.infoblox.com/threat-inte

krebsonsecurity.com/2025/06/in

Infoblox Blog · What is the Real Relationship between WordPress Hackers and Malicious Adtech?A cabal of Russian-nexus adtech companies are the cybercriminal choice to drive users to scams and malware from millions of compromised sites.

Cricket and Matt asked me to join them for the Ask Mr DNS podcast last week. It's a great show that i've listened to for years.

We talked about securing networks by blocking bad things in DNS and how our research group @InfobloxThreatIntel does that work. I talk a bit about malicious adtech like #VexTrio ....

This whole show is completely unrehearsed and i had no real idea what we were going to cover lol... so fingers crossed it makes sense to folks.

There are some great episodes about the Dyn attacks in 2015 that you should listen to if you have an interest in DDOS attacks.

#threatintel #dns #cybercrime #cybersecurity #infosec #infoblox #phishing #malware #malvertising

ask-mrdns.com/2025/01/episode-

ask-mrdns.comThe Ask Mr. DNS Podcast — Episode 64

VexTrio User Experience 4/N

@knitcode decided it was time to get crypto-scammed by VexTrio.....here's the story...

Unfortunately, when i got to the final scam to steal my funds i landed at a page that unavailable.. so my money wasn't stolen. I did capture 16 minutes of screen recording while they mined my device and tried to interact with their fake online users, so that was fun. Imgur won't let me load that long of a video so I've got screenshots to the highlights.

Here's how the scam works:
* Somehow you end up visiting a VexTrio crypto scam domain. Since we track their movements, I just collected one from our detectors.
* You get a "welcome back" with some amazing bitcoin balance.. mine was $113k! and a continue button... if you click that...
* You get a threatening "your account will be deleted in one day" for inactivity, but you have the option to log in now! excellent. click.
* but what about the password? No problem. the site has remembered your password for you. ;)
* When you login, you are asked if you want to withdraw your funds. Of course!
* It's been 364 days since you were here, so the site needs to "verify" each of your mining transactions. It takes about 10 minutes to do this while it seemingly mines your device. ;)
* users are "chatting" away talking about ethics and mining strategies. you can add comments but they won't answer you.
* Finally you get the chance to withdraw your funds... first you have to get approval from your account manager and fill out a withdrawal form. .. she doesn't have a record of you, but that's ok. you are approved to withdraw $113k.
* You need to give a credit card or paypal account in order to pay their "official" partner Binance to do the conversion. what is $64 fee for $113k? ! sign me up!
* Click the final button to pay Binance and receive your payout.... unfortunately, for me this is where I hit the oops can't display... after 16 minutes! peqemynite[.]top was not working.
* This domain was previously behind cloudflare caching but starting Nov 11th, it started resolving as Russian IP in Prospero (which interestingly shared IP with keitarotds[.]top) and then Unitel also Russia. So that's fun.
* To recap... VexTrio domain -> cryptoscam -> Binance fraud -> Russian IP.

Attached are screenshots. i have a few urlscan images of this too but the process takes so long that getting the full user experience is hard.

here's some more IOCs. There are bunch of domains on: 91.212.166[.]95. I started at globalminingbit[.]top (after the TDS) and ended at peqemynite[.]top. Here's some current domains: qegymiewo[.]top,ditosoydi[.]top,keziryevo[.]top,xujodyaza[.]top,vupahoawy[.]top,rycozaaqi[.]top,zupahayja[.]top,mafaweewa[.]top,pesaraafy[.]top.
globalminingbit[.]top is also out of the CF cover now and at Proton66 (also Russia) 193.143.1(.)195

This attack is unbelievably powerful, easy, and preventable. It’s the criminal’s best kept secret. Much stealthier and more effective than dangling CNAMEs. We found many Russian-nexus actors, but we suspect there are more to be found. Please boost for awareness and hope we aren’t rediscovering this attack in another 6 years. Thanks to everyone contributed to our understanding of the attack and the actors using it … including Proofpoint, @rmceoin Dave Safely, Mandatory, and @briankrebs @dnsoarc #sittingducks #dns #domainhijacking #cybercrime #cybersecurity #infosec #threatintel #malware #phishing #tds #vextrio #404tds #threatintelligence #infoblox @knitcode blogs.infoblox.com/threat-inte

Infoblox Blog · Jaw Dropping DNS Attack Vector Heavily Exploited in the WildLearn about the insidious DNS attack vector that threat actors are using to hijack domains from major brands, government institutions, and other organizations, large and small. Find out how to determine whether your domain name is at risk.

Ok this is cool. @Gi7w0rm wrote an article detailing every single one of the 29 browser checks that #VexTrio makes. I like the "spooky check" lol, but they also highlight how if browsers followed deprecation standards, VexTrio would not be able to use 7 of the checks. VexTrio are doing some clever things to take advantage of the environment, and then they send that back to the c2 server to determine the next action and block potential security researchers. Also this week, Bleeping Computer reported on SEO poisoning of various types, most of which were VexTrio affiliates. You can use what Gi7w0rm has provided to help distinguish their activity in addition to what we reported in January. #phishing #scam #malware #tds #cybersecurity #cybercrime #infosec #threatintel gi7w0rm.medium.com/vextrios-br

Medium · VexTrio’s Browser Fingerprinting - Gi7w0rm - MediumPar Gi7w0rm

#vextrio for the win (again)! Whenever an article has the phrase "series of redirects" it is a TDS... and most of the time it will be VexTrio. A few weeks ago @briankrebs stumbled on them, and now Bleeping Computer. They are obviously going strong still @rmceoin @gentleshep in spite of exposure. No surprise. Check out urlscan for the TDS details. #dns #cybercrime #infosec #cybersecurity #threatintel #phishing #malware #tds #scam @BleepingComputer bleepingcomputer.com/news/goog

urlscan.io/result/d1d59c5f-b11
urlscan.io/result/99f03a78-22c

Recently, Bryan Krebs unknowingly shared an example of a VexTrio fake robot CAPTCHA campaign. VexTrio runs a few variations of these kinds, but this one in particular uses domains with the prefix "re-captha-version-". They typically register the domains on a select few tlds: fun, xyz, buzz, top, icu, and more recently, the com tld. Here are a few that were registered in February.

re-captha-version-3-73[.]fun
re-captha-version-3-73[.]com
re-captha-version-3-71[.]com

*** It's imperative to block these domains before your users fall for the robot CAPTCHA trick. ***

After VexTrio establishes a notification channel with the victim's device, the browser worker talks to Google's Firebase Cloud Messaging (FCM) server and not VexTrio's domain. Here is a screenshot that shows VexTrio pushing notifications to a victim's Desktop.

Although it displays re-captha-version-3-53[.]top, the browser is fetching the notifications from Google's FCM servers.The user will stay infected until their system is clean up.

Thanks @rmceoin for catching the CAPTCHA examples and maybe advice you have for post-infection clean up?

Bryan Krebs article: krebsonsecurity.com/2024/02/u-

We just released the results of collaborative research with @rmceoin on the kingpin of cybercrime traffic distribution: VexTrio. The longest lived, most pervasive threat we see in the wild. VexTrio has over 60 affiliates feeding them victims, including the famous SocGohlish and ClearFake actors. Not just middlemen, they compromise WP sites and run their own campaigns as well. end-to-end criminal gang. #dns #malware #phishing #cybercrime #tds #cybersecurity #vextrio #infosec blogs.infoblox.com/cyber-threa

Infoblox Blog · VexTrio at the Center of Affiliate Cybercrime Program | InfobloxDNS threat actor VexTrio runs a large-scale criminal affiliate program including ClearFake and SocGholish actors.