Weekly TrickBot Analysis - End of w/c 27-Nov-2017 to 1000096

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 27th November 2017. This analysis covers 946 unique C2 IP addresses used in 211 mcconfs across 85 versions, with a latest version of 1000096.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Five new versions were discovered in the last week (1000092, 1000093, 1000094, 1000095, and 1000096), one the week before, and four the week before that. No mcconfs have been shared for 1000091 so far -- it may be that this version was either skipped or, more likely, only distributed to a small subset of the TrickBot installations.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

Counts of server entries dropped significantly in version 1000094 (similar to 1000049) but rose again in 1000095.

The following table shows the top 25 servers (of  946 unique) used within the 85 versions. There was a single change near the bottom of the table compared to last week. I've updated the table to now include the first and most recent versions in which each server was used.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 211 mcconfs analysed. Only test configs 'tt0002' were discovered last week, possibly due to no new TrickBot phishing campaigns.

The BGP prefix registrations for the C2 server IP address are heavily biased to RU. New server IP addresses are allocated to 39xRU, 10xLT, 5xNL, 2xLU, 1xAL, 1xCH, 1xKZ, 1xPA.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Lastly, the following table shows new analysis into the top 25 BGP prefixes used by TrickBot for C2 servers. The majority of the top 25 are assigned to Eastern European countries. With the exceptions being PA and GB.

Thanks to @mpvillafranca94, @JR0driguezB, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, and @Techhelplistcom for sharing the mcconfs.