Friday, 3 November 2017

Weekly TrickBot Analysis - End of w/c 30-Oct-2017 to 1000082

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 30th October 2017. This analysis covers 724 unique C2 IP addresses used in 154 mcconfs across 64 versions, with a latest version of 1000082.

The rate of discovery was slightly slower this week.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).
The recent brief foray into port 451 ended with version 1000074.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of 724 unique) used within the 64 versions. The most used server was present in versions 1000047 through 1000063, the second in versions 1000065 through 1000081.

TrickBot Top 25 SRV

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. With US, PL, LT and FR next (but 6+ times less prevalent).

TrickBot SRV IP Address BGP Prefix Country Codes

Lastly, the following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 154 mcconfs analysed.

TrickBot gtag Breakdown

Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, and @moutonplacide for sharing the mcconfs.