Weekly TrickBot Analysis - End of w/c 01-Jan-2018 to 1000111

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 1st January 2018. This analysis covers 1,151 unique C2 IP addresses used in 241 mcconfs across 105 versions, with a highest version of 1000111.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

One version was discovered in the week commencing 1st January 2018 (1000111), three the week before, and six the week before that. The newly discovered version extends the original iteration of version numbers (which I refer to as iteration A). In December 2017 four early version numbers (1000021, 1000022, 1000023 and 1000024) were reused and so I track these as part of a new, distinct 'iteration' (iteration B) of the version numbers.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

The number of C2 server entries in the iteration B configurations are fewer than almost all previous versions (and only contain servers on port 443). This, and the reuse of the version numbers, may be indicative of testing being performed in association with new campaigns.

The recent 1000111 version introduced one server on port 451 (SMB). This is the first time a TrickBot server has employed this port since version 1000074, which was discovered on 23rd October 2017.

The following table shows the top 25 servers (of  1,151 unique) used within the 105 versions. This table remains the same as for the week before.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 241 mcconfs analysed. 

33 C2 servers were used in the new mcconf, of which 18 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are allocated to 24xRU, 5xLU, 2xPL, 1xCL, and 1xEC

The following map shows the geographical location of 26 (those with location data) of the 32 (scanned by Shodan) of the 33 IP addresses used in the analysed config. Four of the 32 are MikroTik devices. Of the remainder, 25 are running OpenSSH, 15 are running nginx, five are running Apache, four are running Exim, two are running MySQL, one is running ProFTP,  and one is running PostgreSQL -- with some servers running as many as six of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.