Weekly TrickBot Analysis - End of w/c 18-Dec-2017 to 1000109

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 18th December 2017. This analysis covers 1,111 unique C2 IP addresses used in 234 mcconfs across 101 versions, with a highest version of 1000109.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Six versions were discovered in the last week (1000021, 1000106, 1000107, 1000108, 1000109, and 1000022), four the week before, and five the week before that. Two of the versions discovered have early version numbers (1000021 and 1000022) but only include new C2 servers. While my data does not include these versions from their 'first use', it seems these version numbers are being re-purposed in new campaigns, identified by group tags beginning 'solinger'.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

The number of C2 server entries in new high versions dropped again since the peak of 1000105.

The following table shows the top 25 servers (of  1,111 unique) used within the 101 versions. There were three changes from the previous week, with 200[.]111.97.235:449, 82[.]146.48.44:443, and 94[.]250.253.142:443 moving into the top 25.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 234 mcconfs analysed. As noted earlier, the 'solinger' tag was noted within versions 1000021 and 1000022.

90 C2 servers were used in the analysed week's mcconfs, of which 62 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU. The new servers' IP addresses are allocated to 33xRU, 9xLU, 4xNL, 3xCZ, 3xEC, 2xBG, 2xPL, 1xFR, 1xGB, 1xKZ, 1xLV, 1xMY, and 1xUA.

The following map shows the geographical location of 80 (those scanned by Shodan) of the 90 IP addresses used in the analysed week's configs. Six of the 80 are MikroTik devices. Of the remainder, 51 are running OpenSSH, 44 are running nginx, 12 are running Apache, six are running Exim, two are running ProFTP, one is running Postfix, one is running MySQL, and one is running  Haproxy http proxy -- with some servers running as many as four of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters and @coldshell for sharing the mcconfs.

Adhoc TrickBot Analysis - 1000105

If you've studied TrickBot at all then you'll know that instances of the Banking Trojan get their tier 1 command and control (C2) server list from an encrypted configuration which is packed into the resource section of an MS-DOS MZ executable file. Once decrypted, for example using @hasherezade's useful Python script (as shown in their unpacking demo), the configuration is XML with an outermost <mcconf> tag -- hence the name 'mcconf' is frequently used to refer to TrickBot's configurations.

The mcconf contains the configuration version and the group tag (which identifies the campaign), along with a list of C2 servers.

• <ver>[0-9]{7}</ver>
• <gtag>[a-z]{2,8}[0-9]{0,4}[a-z]?</gtag>

Multiple campaigns (i.e., gtags) may employ mcconf with the same version number, and in so doing (usually) employ the same list of C2 servers. However, recently several researchers (@JR0driguezB and @Techhelplistcom) shared two campaign mcconfs for version 1000105; these contained two server differences which look like typographical errors. 

Apart from the fact that the two servers had one digit different off the first quad of the IP address, the likelihood of these being typos is increased by the following observations:

1. No other occurrences of 2.x.y.z or 7.x.y.z subnets are present amongst the 1,111 server IP addresses in shared mcconfs;
2. The 7.x.y.z subnet is registered to the DoD Network Information Center (DNIC) and the IP address 7[.]46.133.10 is not found amongst BGP routes.

As with much malware analysis, the actual cause may never be clear to anyone other than the threat actors themselves. It is highly likely that those behind TrickBot employ some automation to produce their components, given the rate at which new versions of configuration are produced and deployed. However, it is also clear that some operator decisions and actions are involved. One only has to review the progression of gtag campaign identifiers to see numbering changes indicative of manual processing.

Weekly TrickBot Analysis - End of w/c 11-Dec-2017 to 1000105

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 11th December 2017. This analysis covers 1,047 unique C2 IP addresses used in 224 mcconfs across 95 versions, with a latest version of 1000105.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Four new versions were discovered in the last week (1000102, 1000103, 1000104, and 1000105), five the week before, and five the week before that.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

There was a dramatic increase in the number of C2 server entries in version 1000105, taking the count to 36 (within one of the high from versions 1000071 and 1000072).

The following table shows the top 25 servers (of  1,051 unique) used within the 95 versions. There was only one change from the previous week, with 79[.]106.41.9:449 moving up due to its use in version 1000102.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 224 mcconfs analysed. 'mac1' was detected in recent configs, alongside the test group tag.

60 C2 servers were used in last week's mcconfs, of which 15 had been used previously, with only one -- 79[.]106.41.9:449 -- used before version 1000099. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU. Last week's server IP addresses are allocated to 45xRU, 4xUS, 2xGB, 2xNL, 2xPY, 1xAL, 1xCL, 1xLU, 1xPA, 1xPL.

New analysis shows the geographical location of 49 (those scanned by Shodan) of the 60 IP addresses used in last week's configs. Four of the 49 are MikroTik devices, one is an ER-X. Of the remainder, 33 are running OpenSSH, 12 are running nginx, seven are running Apache, six are running Exim, two are running Postfix, one is running MySQL, and one is running ProFTP -- with some servers running as many as four of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers. There has been a lot of movement in the prefixes on this list, but all but one prefix was already in the top 25 last week.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters and @coldshell for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 04-Dec-2017 to 1000101

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 4th December 2017. This analysis covers 1,002 unique C2 IP addresses used in 220 mcconfs across 91 versions, with a latest version of 1000101.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Five new versions were discovered in the last week (1000097, 1000098, 1000099, 1000100, and 1000101), five the week before, and one the week before that.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

The percentage of 449 hosts increased through this week.

The following table shows the top 25 servers (of  1,006 unique) used within the 91 versions. One new server -- 79[.]106.41.9:449 -- made it to the top 25 this week and another -- 36[.]37.176.6:443 -- jumped up seven places from the bottom.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 220 mcconfs analysed. Phishing campaigns restarted this week (after last week quiet period) with one 'mac1' and two 'ser' campaigns detected.

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New server IP addresses are allocated to 26xRU, 9xLT, 5xNL, 4xUS, 3xPA, 2xGB, 2xPL, 1xCL.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Lastly, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers. There is no change in this listing compared to last week, with the majority of the top 25 assigned to Eastern European countries -- the exceptions being PA and GB.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987 and @MalHunters for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 27-Nov-2017 to 1000096

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 27th November 2017. This analysis covers 946 unique C2 IP addresses used in 211 mcconfs across 85 versions, with a latest version of 1000096.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Five new versions were discovered in the last week (1000092, 1000093, 1000094, 1000095, and 1000096), one the week before, and four the week before that. No mcconfs have been shared for 1000091 so far -- it may be that this version was either skipped or, more likely, only distributed to a small subset of the TrickBot installations.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

Counts of server entries dropped significantly in version 1000094 (similar to 1000049) but rose again in 1000095.

The following table shows the top 25 servers (of  946 unique) used within the 85 versions. There was a single change near the bottom of the table compared to last week. I've updated the table to now include the first and most recent versions in which each server was used.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 211 mcconfs analysed. Only test configs 'tt0002' were discovered last week, possibly due to no new TrickBot phishing campaigns.

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New server IP addresses are allocated to 39xRU, 10xLT, 5xNL, 2xLU, 1xAL, 1xCH, 1xKZ, 1xPA.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Lastly, the following table shows new analysis into the top 25 BGP prefixes used by TrickBot for C2 servers. The majority of the top 25 are assigned to Eastern European countries. With the exceptions being PA and GB.

Thanks to @mpvillafranca94, @JR0driguezB, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, and @Techhelplistcom for sharing the mcconfs.

TrickBot Data Request

If you've looked at any of the other posts on this blog, or seen my tweets (@EscInSecurity), you'll know that I currently analyse shared mcconf data for the TrickBot Banking Trojan (aka, The Trick).

I'm very grateful to all those that share configs extracted from their honeypot logs and other malware analysis activities. As per below, I always thank these people for their sharing - and while you can't see it, in my raw data I track every config's original source.

I'm currently missing some TrickBot versions, and I'd be very grateful if any analysts have mcconfs that they are willing to share. Specifically, I'm currently missing:

• 1000001
• 1000005
• 1000006
• 1000008
• 1000009
• 1000011
• 1000014
• 1000021
• 1000022
• 1000023
• 1000091

Equally, if you think I'm missing particular campaigns in my gtag tables (see last week's post for the latest) then please share those too.

Once again, thanks to @mpvillafranca94, @JR0driguezB, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, and @Techhelplistcom for sharing the mcconfs via Twitter.