Changes in Tactics, Techniques, and Procedures
Since the release of Infoblox’s first analysis report, VexTrio threat actors have made modifications to their DNS infrastructure for better survivability from detection systems. Some of the changes show a simple DNS configuration update, while others indicate a high level of implementation effort according to the Pyramid of Pain.6 Based on our analysis of historical VexTrio indicators, we identified some notable changes to the TTPs:
- Compromised WordPress websites recently fetch the C2 intermediary redirect URL via a DNS TXT record,
- subdomain names on the DDGA domains are based on random numerical characters; previously they were random alpha labels,
- VexTrio has expanded their dictionary by at least 138 new words (See Figure 1),
- and some intermediary C2 domains have switched from using dedicated and actor-controlled nameservers to shared Cloudflare nameservers.
Figure 1. DDGA domains discovered after first publication show expanded dictionary7
Overall, these changes make it challenging for security professionals to identify, track, and disrupt VexTrio network activity. DDGAs are particularly difficult to detect accurately due to their high overlap with legitimate domain assets. Additionally, the continuous change in VexTrio’s selection of DNS providers and subdomain naming scheme can quickly outpace the creation of security rules. This is especially true for organizations that have a limited view of the DNS landscape and rely on detection methods that are not scalable, such as URL blocklisting.
DNS-based Traffic Direction System
Figure 2. DNS TXT Response from the TDS
From the threat actor’s perspective, the main advantage for using a DNS-based TDS as opposed to calling it directly via HTTP, is persistence. By using Google as an intermediate DNS communication channel, the TDS server is not susceptible to URL or DNS blocking security methods. Many organizations are unlikely to block the Google Public DNS server domain (dns.google), which may be an integral part of their business operations.
Prevention and Mitigation
Infoblox specializes in security solutions that help protect organizations against persistent DNS threats such as VexTrio. Using effective DNS signatures and statistical-based algorithms, Infoblox continues to track VexTrio’s intermediary C2 and DDGA domains. We detected and blocked all of the DDGA indicators provided in the Sucuri report before they were activated for malicious activity. VexTrio is a large and malicious network that reaches a wide audience of internet users. Organizations should not undervalue the severity of VexTrio’s threat based on the perception that the delivered content is seemingly less dangerous than other high profile malware. As mentioned earlier in the report, VexTrio can be used as a delivery vector for other cybercrime syndicates. To improve your organization’s resilience against VexTrio and similar TTPs, we recommend the following actions for protection:
- Subscribe to Infoblox RPZ feeds that offer protection against malicious hostnames. These feeds enable organizations to stop the connection by actors at the DNS level, as all components described in this report (compromised websites, intermediary redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.8
- Leverage Infoblox’s Threat Insight service, which performs real-time streaming analytics on live DNS queries and can provide high-security coverage, along with protection against threats that are based on DGAs as well as DDGAs.9
- This diagram focuses on words that show a minimum repetition of 20 and character length of 4.