Adhoc TrickBot Analysis - 1000105

If you've studied TrickBot at all then you'll know that instances of the Banking Trojan get their tier 1 command and control (C2) server list from an encrypted configuration which is packed into the resource section of an MS-DOS MZ executable file. Once decrypted, for example using @hasherezade's useful Python script (as shown in their unpacking demo), the configuration is XML with an outermost <mcconf> tag -- hence the name 'mcconf' is frequently used to refer to TrickBot's configurations.

The mcconf contains the configuration version and the group tag (which identifies the campaign), along with a list of C2 servers.

• <ver>[0-9]{7}</ver>
• <gtag>[a-z]{2,8}[0-9]{0,4}[a-z]?</gtag>

Multiple campaigns (i.e., gtags) may employ mcconf with the same version number, and in so doing (usually) employ the same list of C2 servers. However, recently several researchers (@JR0driguezB and @Techhelplistcom) shared two campaign mcconfs for version 1000105; these contained two server differences which look like typographical errors. 

Apart from the fact that the two servers had one digit different off the first quad of the IP address, the likelihood of these being typos is increased by the following observations:

1. No other occurrences of 2.x.y.z or 7.x.y.z subnets are present amongst the 1,111 server IP addresses in shared mcconfs;
2. The 7.x.y.z subnet is registered to the DoD Network Information Center (DNIC) and the IP address 7[.]46.133.10 is not found amongst BGP routes.

As with much malware analysis, the actual cause may never be clear to anyone other than the threat actors themselves. It is highly likely that those behind TrickBot employ some automation to produce their components, given the rate at which new versions of configuration are produced and deployed. However, it is also clear that some operator decisions and actions are involved. One only has to review the progression of gtag campaign identifiers to see numbering changes indicative of manual processing.