Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the
week commencing 30th October 2017. This analysis covers
724 unique C2 IP addresses used in
154 mcconfs across
64 versions, with a
latest version of 1000082.
The rate of discovery was slightly slower this week.
The following graph shows the number of server entries using ports:
- 443 (HTTPS);
- 445 (IBM AS Server Mapper);
- 449 (Cray Network Semaphore Server); and
- 451 (SMB).
The recent brief foray into port 451 ended with version 1000074.
The following table shows the top 25 servers (of 724 unique) used within the 64 versions. The most used server was present in versions 1000047 through 1000063, the second in versions 1000065 through 1000081.
The BGP prefix registrations for the C2 server IP address are heavily biased to RU. With US, PL, LT and FR next (but 6+ times less prevalent).
Lastly, the following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 154 mcconfs analysed.
Thanks to
@mpvillafranca94,
@VK_Intel,
@K_N1kolenko,
@hasherezade,
@ArnaudDlms,
@StackGazer,
@0bscureC0de,
@voidm4p,
@James_inthe_box,
@MakFLwana,
@_ddoxer,
@spalomaresg,
@virsoz, and
@moutonplacide
for sharing the mcconfs.
