The danger actors behind the Vextrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services such as Help TDS and Disposable TDS, indicating that the sophisticated cyber criminal operation is a huge enterprise of its own which is designed to distribute malicious materials.
“Vextrio is a group of malicious Adtech companies that distribute scams and harmful software through various advertising formats, including smartlinks and push notifications,” Infoblox said in a deep-rolled report shared with hacker news.
Some malicious Edtech companies under the Vetertriya wiper include Los Polos, Taco Loco, and Adtrafico. These companies are called a commercial affiliate network that connects malware actors, whose websites are ignoring users and are so -called “advertising ally”, offering gift cards fraud, malicious apps, offer various forms of illegal schemes such as fraud, malicious apps, fishing sites and scams.
In a different way, these malicious traffic distribution systems are designed to redirect the victims on their destination through smartlinks or direct proposals. According to the DNS Threat Intelligence firm, Los Poos, Malware Distributors (aka publishing affiliate) combines with promises of high-paying proposals, while Taco loco specializes in push monetization and recruits advertisements.
Another notable component of these attacks is an agreement of WordPress websites to inject malicious codes that are responsible for starting the redirect chain, eventually leading to visitors to the infrastructure of the Vextrio scam. Examples of such injections include Balada, Dollyway, Sign 1 and DNS TXT record campaigns.
“These scripts redirect the site visitors for various scam pages through the traffic broker network associated with the waxtri, which is one of the largest known cyber criminal related networks, which benefit from sophisticated DNS techniques, traffic distribution systems and domain generation algorism to distribute malware and scams in global networks.
The operation of the Vastarri was a setback in mid-November 2024 after Kuriam, when Kurium revealed that the Swiss-CJC was part of the Edtech company Los Polos Vactrio, making Los Polos shut down its push link migration. This, in turn, triggers a migration, relying alternatively to the threats to rely on the Los Polos Network alternatively to rely on TD and Disposable TDS.
|
| Two independent C2 sets change behavior over time |
The analysis of the infoblox of 4.5 million DNS TXT record reactions from the agreement websites over a period of six months has shown that the domains that were part of the DNS TXT record campaigns can be classified into two sets, each with its own different command-end-control (C2) server.
The company said, “Both servers were hosted in the Russian-Judge infrastructure, but neither their hosting nor their TXT reactions overlap.” “Each set maintained separate redirect URL structures, even though they originally led to Vastrri and later help TDS.”
Further evidence has revealed that both TDS and Disposable TD provide one and the same only one and the same, and that services enjoyed “exclusive relations” with Vactrio by November 2024. Help TDS, which historically redesigns traffic to the Waxtrio domains, transferred to the miyonetizer, using TDS technology that connects to web traffic to join the publisher.
“Help TDS has a strong Russian Nexus, in which hosting and domain registration is often done through Russian institutions,” Infoblox described operators as possibly independent. “This is not a complete developed functionality of vextrio TDSS and there are no clear commercial relations beyond its terrible connection with vextrio.”
Intell Vice President Reni Burton, who threatened in Infoblox, told Hacker News that TDS helps to reconstruct specifically for the manualizer. “We know that there are some special relations between TDS and Waxtrio, which means they are likely to be in coordination,” Burton said. “They share software. [But] We do not know the relationship between vextrio and monetizer. In other words, proceeding to help TDS is not actually running in a new TDS. ,
Vextrio is one of the many TDSS that is excluded as commercial adtech firms, other partners are houses, bropush, richads, admeking, and rexpush. Many of these are moved to push notification services using Google Firebase Cloud Messaging (FCM) or to distribute links to malicious materials through push notifications.
The company said, “Hundreds of thousands of compromise websites around the world every year redesign the victims to the compatriated web of Vastrio and Vehxtriya-Affiliate TDSS,” the company said.
“Vextrio and other affiliated advertising companies know who the malware actors are, or at least they have enough information to track them. Many companies are registered in countries that need to some extent to ‘know their customers’ (KYC), but even without these requirements, the publication affiliates are vetured by their customers.”
