Author: Christopher Kim
Executive summary
Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and impacts targets across many industries. From 1 to 12 May 2022, we detected more than 770,000 DNS queries to these domains, in approximately 50% of our cloud customer networks, across 24 industries. Based on the age of the domains, we judge that the threat actors have been conducting these campaigns for at least 13 months. For reporting and tracking purposes, we call this DDGA family and activity VexTrio.
We are releasing a new Cyber Threat Advisory (CTA) today providing a comprehensive analysis of the actor’s infrastructure and operations. This work is the result of in-depth analysis of DNS events, associated registration data, and the fraudulent content. Our paper details the attack chain and reveals a number of the techniques, tactics, and procedures (TTP) used by the actor, as well as impact on various industries. Additionally, we are releasing 38,000 domains and IPs related to Vextrio to our GitHub Repository for use by the security community.
VexTrio actors heavily use domains and the DNS protocol to operate their campaigns. The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors. To accomplish this, they first detect websites that show cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins, then inject malicious JavaScript code into them. When victims visit these websites, they are led to a landing web page that hosts fraudulent content, via one or more intermediary redirect domains that are also controlled by the actors. Additionally, as a means to avoid detection, the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect:
- The user must visit the WordPress website from a search engine. For example, the referrer URL can be https://www.google.com/.
- Cookies are enabled in the user’s web browser.
- The user has not visited a VexTrio compromised web page in the past 24 hours.
The network infrastructure that supports the campaigns is stable, although it continually adds new domains, and the actors have been using it, including its IPs and nameservers, for over a year. VexTrio actors use a relatively small number of fraudulent redirect domains in their campaigns to conditionally lead victims to landing web pages that use DDGA domains. In some cases, we’ve observed the DDGA domain act as an intermediary redirect, or pass the victim onto a decoy landing page if they didn’t fit their profile. The naming convention of the DDGA domains has also been consistent: it shows three words delimited with a hyphen or not delimited at all. So far, we have observed the following naming formats across all second-level domains:
- {firstword}{secondword}{thirdword}.tld
- {firstword}{secondword}-{thirdword}.tld
- {firstword}-{secondword}-{thirdword}.tld
By analyzing all of the VexTrio DDGA domains we’ve discovered so far, we were able to determine the dictionary that VexTrio uses to generate DDGA domains. We have developed analytics to detect multiple components of the attack chain: compromised WordPress websites, intermediary fraudulent redirect domains, and DDGA domains. To disrupt customer DNS queries to the VexTrio components, we append relevant network indicators to Infoblox DNS response policy zone (RPZ) feeds.
For more detailed information click here.
