Monday, 15 January 2018

Weekly TrickBot Analysis - End of w/c 08-Jan-2018 to 1000113

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 8th January 2018. This analysis covers 1,195 unique C2 IP addresses used in 245 mcconfs across 109 versions, with a highest version of 1000113.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Four versions were discovered in the week commencing 8th January 2018 (1000025, 1000026, 1000112, and 1000113), one the week before, and three the week before that. Two of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000113. In contrast, two continue on from the four repeats from December 2017, where version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
The latest of the iteration B configs (1000026) increases the number of C2 server entries beyond that of the previous iteration B configs. However, its count of 11 servers is still well below the average of 22 and these still look to be isolated tests. While, version 1000111, from the week before, introduced one server on port 451 (SMB), none of the servers in this week's configs continued this revival.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,195 unique) used within the 109 versions. This table remains the same as for the previous two weeks.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 241 mcconfs analysed. 

TrickBot gtag Breakdown

61 C2 servers were used in the mcconfs from this week, of which 44 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are allocated to 39xRU, 2xNL, 1xCA, 1xLT, and 1xUS.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 49 (those with location data) of the 53 (scanned by Shodan) of the 61 IP addresses used in the analysed configs. Two of these servers are MikroTik devices (historically a favourite of TrickBot). 40 are running OpenSSH, 17 are running nginx, 12 are running Apache, six are running Exim, four are running MySQL, two are running Postfix, two are running ProFTP,  and one is running PostgreSQL -- with some servers running as many as six of these products.

TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Thanks to @mpvillafranca94@JR0driguezB@0bscureC0de@virsoz@spalomaresg@VK_Intel@K_N1kolenko@hasherezade@botNET___@ArnaudDlms@StackGazer,@voidm4p@James_inthe_box@MakFLwana@_ddoxer@moutonplacide@JasonMilletary,@Ring0x0@precisionsec@Techhelplistcom@pollo290987@MalHunters@coldshell and @0x7fff9 for sharing the mcconfs.