Sunday, 31 December 2017

Weekly TrickBot Analysis - End of w/c 18-Dec-2017 to 1000109

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 18th December 2017. This analysis covers 1,111 unique C2 IP addresses used in 234 mcconfs across 101 versions, with a highest version of 1000109.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Six versions were discovered in the last week (1000021, 1000106, 1000107, 1000108, 1000109, and 1000022), four the week before, and five the week before that. Two of the versions discovered have early version numbers (1000021 and 1000022) but only include new C2 servers. While my data does not include these versions from their 'first use', it seems these version numbers are being re-purposed in new campaigns, identified by group tags beginning 'solinger'.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
The number of C2 server entries in new high versions dropped again since the peak of 1000105.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,111 unique) used within the 101 versions. There were three changes from the previous week, with 200[.]111.97.235:449, 82[.]146.48.44:443, and 94[.]250.253.142:443 moving into the top 25.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 234 mcconfs analysed. As noted earlier, the 'solinger' tag was noted within versions 1000021 and 1000022.

TrickBot gtag Breakdown

90 C2 servers were used in the analysed week's mcconfs, of which 62 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU. The new servers' IP addresses are allocated to 33xRU, 9xLU, 4xNL, 3xCZ, 3xEC, 2xBG, 2xPL, 1xFR, 1xGB, 1xKZ, 1xLV, 1xMY, and 1xUA.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 80 (those scanned by Shodan) of the 90 IP addresses used in the analysed week's configs. Six of the 80 are MikroTik devices. Of the remainder, 51 are running OpenSSH, 44 are running nginx, 12 are running Apache, six are running Exim, two are running ProFTP, one is running Postfix, one is running MySQL, and one is running  Haproxy http proxy -- with some servers running as many as four of these products.

TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Thanks to @mpvillafranca94@JR0driguezB@0bscureC0de@virsoz@spalomaresg@VK_Intel@K_N1kolenko@hasherezade@botNET___@ArnaudDlms@StackGazer@voidm4p@James_inthe_box@MakFLwana@_ddoxer@moutonplacide@JasonMilletary,@Ring0x0@precisionsec@Techhelplistcom@pollo290987@MalHunters and @coldshell for sharing the mcconfs.