Monday, 22 January 2018

Weekly TrickBot Analysis - End of w/c 15-Jan-2018 to 1000115

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 15th January 2018. This analysis covers 1,218 unique C2 IP addresses used in 248 mcconfs across 111 versions, with a highest version of 1000115.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Two versions were discovered in the week commencing 15th January 2018 (1000114 and 1000115), four the week before, and one the week before that. The two discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000115. There were no versions shared extending the six repeats from the last two months, where low (1000021 to 1000026) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
This week's iteration A configs maintain a low count of C2 server entries, with all but one or two employing port 443 (HTTPS).

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,218 unique) used within the 111 versions. This table remains the same as for the previous three weeks.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 248 mcconfs analysed. 

TrickBot gtag Breakdown

28 C2 servers were used in the mcconfs from this week, of which 23 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to 19xRU, 2xNL, 1xLU, and 1xPA.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 22 (scanned by Shodan) of the 28 IP addresses used in the analysed configs. One of these servers is a MikroTik device (historically a favourite of TrickBot). 11 are running OpenSSH, eight are running nginx, four are running Apache, two are running Exim, two are running MySQL,  and one is running PostgreSQL -- with some servers running as many as three of these products.

TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Thanks to @mpvillafranca94@JR0driguezB@0bscureC0de@virsoz@spalomaresg@VK_Intel@K_N1kolenko@hasherezade@botNET___@ArnaudDlms@StackGazer,@voidm4p@James_inthe_box@MakFLwana@_ddoxer@moutonplacide@JasonMilletary,@Ring0x0@precisionsec@Techhelplistcom@pollo290987@MalHunters@coldshell and @0x7fff9 for sharing the mcconfs.