Monday 27 November 2017

Weekly TrickBot Analysis - End of w/c 20-Nov-2017 to 1000090

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 20th November 2017. This analysis covers 880 unique C2 IP addresses used in 206 mcconfs across 80 versions, with a latest version of 1000090.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

One new versions discovered in the last week (1000090), four the week before, and three the week before that.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).
Counts of server entries dropped slightly in the last week.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  880 unique) used within the 80 versions. last week's mcconfs used 11 unique servers and reused 19 (two of which had only been used way back in versions 1000026/27 from mid-2017).

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 206 mcconfs analysed. The 'kas' gtag continues to be the most active campaign amongst shared mcconfs.


TrickBot gtag Breakdown

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New IPs allocated to 1xAL, 1xLT, 1xPA, 1xPL, 7xRU.

TrickBot SRV IP Address BGP Prefix Country Codes

The following table the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Thanks to @mpvillafranca94, @JR0driguezB, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, and @Techhelplistcom for sharing the mcconfs.

Particular thanks go to @JR0driguezB for providing some old mcconfs which filled historical gaps. 

Monday 20 November 2017

Weekly TrickBot Analysis - End of w/c 13-Nov-2017 to 1000089

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 13th November 2017. This analysis covers 818 unique C2 IP addresses used in 184 mcconfs across 73 versions, with a latest version of 1000089.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Four new versions discovered in the last week (1000086, 1000087, 1000088 and 1000089), three the week before, and four the week before that.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).
Counts of server entries dropped briefly in 1000087 before continuing to rise. The percentage of :449 hosts is falling.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  818 unique) used within the 73 versions. last week's mcconfs used 67 unique servers with none used prior to 1000080 (which was discovered 31st October 2017).

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 184 mcconfs analysed. The 'kas' gtag continues to be the most active campaign amongst shared mcconfs.


TrickBot gtag Breakdown

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New IPs allocated to 37xRU, 11xLT, 3xKZ, 3xNL, 2xGB, 1xCH, 1xLU.

TrickBot SRV IP Address BGP Prefix Country Codes

The following table the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Monday 13 November 2017

Weekly TrickBot Analysis - End of w/c 06-Nov-2017 to 1000085

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 6th November 2017. This analysis covers 758 unique C2 IP addresses used in 172 mcconfs across 68 versions, with a latest version of 1000085.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.) Three new versions discovered last week (1000083, 1000084 and 1000085), four the week before, and five the week before that.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).
Counts of server entries are currently increasing, but the high of 1000070/71 is a way off yet.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of 758 unique) used within the 68 versions. last week's mcconfs used 51 unique servers with only 2 servers used prior to 1000080 (which was discovered 31st October 2017).

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 172 mcconfs analysed. The 'kas' gtag continues to be the most active campaign amongst shared mcconfs.


TrickBot gtag Breakdown

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New IPs allocated to 21xRU, 5xLT, 3xLU, 3xNL, 3xPA, and 1xPL

TrickBot SRV IP Address BGP Prefix Country Codes

The following table shows a new analysis - the BGP allocation to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Friday 3 November 2017

Weekly TrickBot Analysis - End of w/c 30-Oct-2017 to 1000082

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 30th October 2017. This analysis covers 724 unique C2 IP addresses used in 154 mcconfs across 64 versions, with a latest version of 1000082.

The rate of discovery was slightly slower this week.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).
The recent brief foray into port 451 ended with version 1000074.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of 724 unique) used within the 64 versions. The most used server was present in versions 1000047 through 1000063, the second in versions 1000065 through 1000081.

TrickBot Top 25 SRV

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. With US, PL, LT and FR next (but 6+ times less prevalent).

TrickBot SRV IP Address BGP Prefix Country Codes

Lastly, the following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 154 mcconfs analysed.

TrickBot gtag Breakdown

Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, and @moutonplacide for sharing the mcconfs.