Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 22nd January 2018. This analysis covers 1,302 unique C2 IP addresses used in 255 mcconfs across 118 versions, with a highest version of 1000119.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Seven versions were discovered in the week commencing 22th January 2018 (A-1000116, A-1000117, A-1000118, A-1000119, B-1000027, B-1000028, and B-1000029), two the week before, and four the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000119. Three shared versions extend the six repeats from the last two months, where low (1000021 to 1000026) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

This week's iteration A configs increased the count of C2 server entries back to a level last seen at the start of January. The iteration B configs seen continue the low C2 server count which has typified iteration B.

The following table shows the top 25 servers (of  1,302 unique) used within the 118 versions. This table changes for the first time in five weeks with the introduction of 94[.]127[.]111[.]14[:]449 into the top 25 due to its use between versions 1000109 and 1000116.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 255 mcconfs analysed. 

97 C2 servers were used in the mcconfs from this week, of which 84 (87%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 64xRU, 10xNL, 3xIN, 3xLU, 2xPL, 1xCH, and 1xUS.

The following map shows the geographical location of 85 (scanned by Shodan) of the 97 IP addresses used in the analysed configs.

Five of these servers are MikroTik devices (historically a favourite of TrickBot), one is an ER-X and one is a NanoStation Loco M5.

49 are running OpenSSH, 25 are running nginx, 16 are running Apache, eight are running Exim, eight are running Postfix, four are running MySQL, four are running ProFTPD, one is running ARK, one is running Dropbear SSH, one is running IIS, one is running Squid Proxy -- with some servers running as many as four of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 15-Jan-2018 to 1000115

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 15th January 2018. This analysis covers 1,218 unique C2 IP addresses used in 248 mcconfs across 111 versions, with a highest version of 1000115.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Two versions were discovered in the week commencing 15th January 2018 (1000114 and 1000115), four the week before, and one the week before that. The two discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000115. There were no versions shared extending the six repeats from the last two months, where low (1000021 to 1000026) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

This week's iteration A configs maintain a low count of C2 server entries, with all but one or two employing port 443 (HTTPS).

The following table shows the top 25 servers (of  1,218 unique) used within the 111 versions. This table remains the same as for the previous three weeks.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 248 mcconfs analysed. 

28 C2 servers were used in the mcconfs from this week, of which 23 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to 19xRU, 2xNL, 1xLU, and 1xPA.

The following map shows the geographical location of 22 (scanned by Shodan) of the 28 IP addresses used in the analysed configs. One of these servers is a MikroTik device (historically a favourite of TrickBot). 11 are running OpenSSH, eight are running nginx, four are running Apache, two are running Exim, two are running MySQL,  and one is running PostgreSQL -- with some servers running as many as three of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 08-Jan-2018 to 1000113

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 8th January 2018. This analysis covers 1,195 unique C2 IP addresses used in 245 mcconfs across 109 versions, with a highest version of 1000113.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Four versions were discovered in the week commencing 8th January 2018 (1000025, 1000026, 1000112, and 1000113), one the week before, and three the week before that. Two of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000113. In contrast, two continue on from the four repeats from December 2017, where version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

The latest of the iteration B configs (1000026) increases the number of C2 server entries beyond that of the previous iteration B configs. However, its count of 11 servers is still well below the average of 22 and these still look to be isolated tests. While, version 1000111, from the week before, introduced one server on port 451 (SMB), none of the servers in this week's configs continued this revival.

The following table shows the top 25 servers (of  1,195 unique) used within the 109 versions. This table remains the same as for the previous two weeks.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 241 mcconfs analysed. 

61 C2 servers were used in the mcconfs from this week, of which 44 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are allocated to 39xRU, 2xNL, 1xCA, 1xLT, and 1xUS.

The following map shows the geographical location of 49 (those with location data) of the 53 (scanned by Shodan) of the 61 IP addresses used in the analysed configs. Two of these servers are MikroTik devices (historically a favourite of TrickBot). 40 are running OpenSSH, 17 are running nginx, 12 are running Apache, six are running Exim, four are running MySQL, two are running Postfix, two are running ProFTP,  and one is running PostgreSQL -- with some servers running as many as six of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 01-Jan-2018 to 1000111

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 1st January 2018. This analysis covers 1,151 unique C2 IP addresses used in 241 mcconfs across 105 versions, with a highest version of 1000111.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

One version was discovered in the week commencing 1st January 2018 (1000111), three the week before, and six the week before that. The newly discovered version extends the original iteration of version numbers (which I refer to as iteration A). In December 2017 four early version numbers (1000021, 1000022, 1000023 and 1000024) were reused and so I track these as part of a new, distinct 'iteration' (iteration B) of the version numbers.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

The number of C2 server entries in the iteration B configurations are fewer than almost all previous versions (and only contain servers on port 443). This, and the reuse of the version numbers, may be indicative of testing being performed in association with new campaigns.

The recent 1000111 version introduced one server on port 451 (SMB). This is the first time a TrickBot server has employed this port since version 1000074, which was discovered on 23rd October 2017.

The following table shows the top 25 servers (of  1,151 unique) used within the 105 versions. This table remains the same as for the week before.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 241 mcconfs analysed. 

33 C2 servers were used in the new mcconf, of which 18 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are allocated to 24xRU, 5xLU, 2xPL, 1xCL, and 1xEC

The following map shows the geographical location of 26 (those with location data) of the 32 (scanned by Shodan) of the 33 IP addresses used in the analysed config. Four of the 32 are MikroTik devices. Of the remainder, 25 are running OpenSSH, 15 are running nginx, five are running Apache, four are running Exim, two are running MySQL, one is running ProFTP,  and one is running PostgreSQL -- with some servers running as many as six of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 25-Dec-2017 to 1000110

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 25th December 2017. This analysis covers 1,134 unique C2 IP addresses used in 240 mcconfs across 104 versions, with a highest version of 1000110.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Three versions were discovered in the last week (1000023, 1000024, and 1000110), six the week before, and four the week before that. Two of the versions discovered repeat early version numbers (1000023 and 1000024), following on from a similar pair (1000021 and 1000022) the week before. Given that these recently shared configs have novel campaign group tags and distinct C2 server lists compared to all previous configs, I am tracking these as part of a new, distinct 'iteration' of the version numbers. Within this (and future) analysis results you will, therefore, see the original iteration referred to as iteration A and the new one as iteration B -- where such a distinction is relevant.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

The number of C2 server entries in the iteration B configurations are fewer than almost all previous versions (and only contain servers on port 443). This, and the reuse of the version numbers, may be indicative of testing being performed in association with new campaigns.

The following table shows the top 25 servers (of  1,134 unique) used within the 104 versions. There were no changes to the ordering of the top 25 compared to the last week, with only one  of the top 25 servers (200[.]111.97.235:449) being used in one additional version.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 240 mcconfs analysed. 

43 C2 servers were used in the analysed week's mcconfs, of which 23 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are allocated to 16xRU, 2xLU, 2xNL, 1xFR, 1xGB, and 1xUA.

The following map shows the geographical location of 36 (those with location data) of the 40 (scanned by Shodan) of the 43 IP addresses used in the analysed week's configs. Five of the 40 are MikroTik devices. Of the remainder, 30 are running OpenSSH, 17 are running nginx, six are running Apache, five are running Exim, one is running ProFTP, one is running MySQL, and one is running PostgreSQL -- with some servers running as many as five of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.