Monday 11 December 2017

Weekly TrickBot Analysis - End of w/c 04-Dec-2017 to 1000101

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 4th December 2017. This analysis covers 1,002 unique C2 IP addresses used in 220 mcconfs across 91 versions, with a latest version of 1000101.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Five new versions were discovered in the last week (1000097, 1000098, 1000099, 1000100, and 1000101), five the week before, and one the week before that.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
The percentage of 449 hosts increased through this week.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,006 unique) used within the 91 versions. One new server -- 79[.]106.41.9:449 -- made it to the top 25 this week and another -- 36[.]37.176.6:443 -- jumped up seven places from the bottom.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 220 mcconfs analysed. Phishing campaigns restarted this week (after last week quiet period) with one 'mac1' and two 'ser' campaigns detected.
TrickBot gtag Breakdown

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New server IP addresses are allocated to 26xRU, 9xLT, 5xNL, 4xUS, 3xPA, 2xGB, 2xPL, 1xCL.

TrickBot SRV IP Address BGP Prefix Country Codes

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Lastly, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers. There is no change in this listing compared to last week, with the majority of the top 25 assigned to Eastern European countries -- the exceptions being PA and GB.

TrickBot Top 25 BGP Prefixes


Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987 and @MalHunters for sharing the mcconfs.
at
Labels: , ,