CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.
VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.
The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat.
ImgSrc: blogger.googleu
References :
VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.
The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat.
ImgSrc: blogger.googleu
Share:
References :
- blogs.infoblox.com: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
- The Hacker News: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
- The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
- unit42.paloaltonetworks.com: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
- www.scworld.com: 270K websites injected with ‘JSF-ck’ obfuscated code
- Infoblox Blog: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal
- ciso2ciso.com: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month – Source:thehackernews.com
- Techzine Global: DNS analysis reveals links between VexTrio and WordPress hackers
- Virus Bulletin: Palo Alto Networks researchers Hardik Shah, Brad Duncan & Pranay Kumar Chhaparwal discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code.
- ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com
- ciso2ciso.com: WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network – Source:thehackernews.com
Classification:
- HashTags: #VexTrio #WordPress #Malware
- Company: WordPress
- Target: WordPress website owners and users
- Attacker: VexTrio
- Product: WordPress
- Feature: Malware Distribution
- Malware: Viper TDS
- Type: Malware
- Severity: Major