Author: Chance Tudor
With the introduction of Infoblox’s innovative Zero Day DNS™ feature in the Threat Insight module of BloxOne Threat Defence, customers can enjoy enhanced protection. This advanced system, paired with a human in the loop, empowers Infoblox Threat Intel to swiftly identify and respond to emerging threats, further strengthening our commitment to safeguarding our customers.
One such example is the discovery of yet another domain acting as a VexTrio Viper, aka VexTrio, DNS-based traffic distribution system (TDS) domain.1 The actor behind VexTrio Viper does not register TDS domains very often, roughly once every three to six months. The domain in question, airlogs[.]net, follows the traditional VexTrio TDS domain naming convention:
<infected-site>.<visitor-ip>.<random-number>.[nd|ni|nm].airlogs[.]net
In the above naming scheme, nd, ni, and nm represent whether the device is a desktop, iPhone, or other mobile device, respectively. We suspect that the actor created airlogs[.]net in direct response to an April 18, 2024 Sucuri report2 that identified a fundamental change in how VexTrio operates its DNS TDS system. The TDS changed from a client side to a server side check and does not route queries through Google’s public DNS resolvers any longer. We are confident that the VexTrio Viper actor, and not an affiliate, compromised the websites with this particular TDS configuration. Large scale detection of VexTrio Viper is difficult without DNS analysis. The actor’s TTP change involves hiding the DNS queries for redirect domains in a compromised WordPress plugin. Now, neither a web crawl on the compromised website nor HTTP logs will yield information about the DNS TDS server.
VexTrio Viper created airlogs[.]net on April 23, 2024, shortly after Sucuri published their article, and appeared to begin using it immediately. In fact, queries to cloud-stats[.]com, another VexTrio DNS TDS domain created on 2024-03-13, stopped after April 23, 2024. Query volume to airlogs[.]net spiked to nearly 50,000 queries on April 27, just four days after registration, but normalized afterward.
The A records for the domain’s name server point to two Russian IP addresses, 95[.]216[.]232[.]139 and 185[.]161[.]248[.]253; these IP addresses were also seen tied to cloud-stats[.]com name servers.
The dominant query type seen for airlogs[.]net was TXT, which tracks with the prior research published by Infoblox and Sucuri. Once a visitor to a compromised website is established to be a) not an admin or logged-in user of the site and b) a first-time visitor within a 24-hour period, the malware on the infected website creates a dynamic subdomain of airlogs[.]net. The malware then makes a TXT record request for that subdomain.
We saw base64 encoded responses that decoded to specific URLs on web-hosts[.]io, as seen in previous research, as well as a base64 encoded response value that decoded to “err.” This “err” was the response value to the majority of queries that we have seen and we believe this to be the default response when the above criteria are not met for a visitor.
With the move to a server-side redirect to VexTrio Viper domains, identifying what’s triggering the redirect and identifying a specific query to one of its domains becomes even more challenging. A DNS-based security solution like BloxOne Threat Defense offers continued protection from VexTrio Viper and other DNS threat actors. And, through continued collaboration and information sharing, the cybersecurity community can adapt and fortify defenses, even as threat actors change their tactics.
Footnotes
- https://www.infoblox.com/threat-intel/threat-actors/vextrio/
- https://blog.sucuri.net/2024/04/javascript-malware-switches-to-server-side-redirects-dns-txt-records-tds.html
