The mcconf contains the configuration version and the group tag (which identifies the campaign), along with a list of C2 servers.
Multiple campaigns (i.e., gtags) may employ mcconf with the same version number, and in so doing (usually) employ the same list of C2 servers. However, recently several researchers (@JR0driguezB and @Techhelplistcom) shared two campaign mcconfs for version 1000105; these contained two server differences which look like typographical errors.
Apart from the fact that the two servers had one digit different off the first quad of the IP address, the likelihood of these being typos is increased by the following observations:
- No other occurrences of 2.x.y.z or 7.x.y.z subnets are present amongst the 1,111 server IP addresses in shared mcconfs;
- The 7.x.y.z subnet is registered to the DoD Network Information Center (DNIC) and the IP address 7[.]46.133.10 is not found amongst BGP routes.
As with much malware analysis, the actual cause may never be clear to anyone other than the threat actors themselves. It is highly likely that those behind TrickBot employ some automation to produce their components, given the rate at which new versions of configuration are produced and deployed. However, it is also clear that some operator decisions and actions are involved. One only has to review the progression of gtag campaign identifiers to see numbering changes indicative of manual processing.