Weekly TrickBot Analysis - End of w/c 20-Nov-2017 to 1000090

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 20th November 2017. This analysis covers 880 unique C2 IP addresses used in 206 mcconfs across 80 versions, with a latest version of 1000090.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

One new versions discovered in the last week (1000090), four the week before, and three the week before that.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper);
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

Counts of server entries dropped slightly in the last week.

The following table shows the top 25 servers (of  880 unique) used within the 80 versions. last week's mcconfs used 11 unique servers and reused 19 (two of which had only been used way back in versions 1000026/27 from mid-2017).

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 206 mcconfs analysed. The 'kas' gtag continues to be the most active campaign amongst shared mcconfs.

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New IPs allocated to 1xAL, 1xLT, 1xPA, 1xPL, 7xRU.

The following table the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Thanks to @mpvillafranca94, @JR0driguezB, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, and @Techhelplistcom for sharing the mcconfs.

Particular thanks go to @JR0driguezB for providing some old mcconfs which filled historical gaps.