The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Four new versions were discovered in the last week (1000102, 1000103, 1000104, and 1000105), five the week before, and five the week before that.
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) -- INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) -- INACTIVE.
New analysis shows the geographical location of 49 (those scanned by Shodan) of the 60 IP addresses used in last week's configs. Four of the 49 are MikroTik devices, one is an ER-X. Of the remainder, 33 are running OpenSSH, 12 are running nginx, seven are running Apache, six are running Exim, two are running Postfix, one is running MySQL, and one is running ProFTP -- with some servers running as many as four of these products.
The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.
Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers. There has been a lot of movement in the prefixes on this list, but all but one prefix was already in the top 25 last week.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters and @coldshell for sharing the mcconfs.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters and @coldshell for sharing the mcconfs.
