Weekly TrickBot Analysis - End of w/c 06-Nov-2017 to 1000085

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 6th November 2017. This analysis covers 758 unique C2 IP addresses used in 172 mcconfs across 68 versions, with a latest version of 1000085.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.) Three new versions discovered last week (1000083, 1000084 and 1000085), four the week before, and five the week before that.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper);
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

Counts of server entries are currently increasing, but the high of 1000070/71 is a way off yet.

The following table shows the top 25 servers (of 758 unique) used within the 68 versions. last week's mcconfs used 51 unique servers with only 2 servers used prior to 1000080 (which was discovered 31st October 2017).

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 172 mcconfs analysed. The 'kas' gtag continues to be the most active campaign amongst shared mcconfs.

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New IPs allocated to 21xRU, 5xLT, 3xLU, 3xNL, 3xPA, and 1xPL

The following table shows a new analysis - the BGP allocation to country by TrickBot version.

Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @botNET___, @moutonplacide, and @JasonMilletary for sharing the mcconfs.