Monday, 29 January 2018

Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 22nd January 2018. This analysis covers 1,302 unique C2 IP addresses used in 255 mcconfs across 118 versions, with a highest version of 1000119.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Seven versions were discovered in the week commencing 22th January 2018 (A-1000116, A-1000117, A-1000118, A-1000119, B-1000027, B-1000028, and B-1000029), two the week before, and four the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000119. Three shared versions extend the six repeats from the last two months, where low (1000021 to 1000026) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
This week's iteration A configs increased the count of C2 server entries back to a level last seen at the start of January. The iteration B configs seen continue the low C2 server count which has typified iteration B.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,302 unique) used within the 118 versions. This table changes for the first time in five weeks with the introduction of 94[.]127[.]111[.]14[:]449 into the top 25 due to its use between versions 1000109 and 1000116.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 255 mcconfs analysed. 


TrickBot gtag Breakdown

97 C2 servers were used in the mcconfs from this week, of which 84 (87%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 64xRU, 10xNL, 3xIN, 3xLU, 2xPL, 1xCH, and 1xUS.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 85 (scanned by Shodan) of the 97 IP addresses used in the analysed configs.

Five of these servers are MikroTik devices (historically a favourite of TrickBot), one is an ER-X and one is a NanoStation Loco M5.

49 are running OpenSSH, 25 are running nginx, 16 are running Apache, eight are running Exim, eight are running Postfix, four are running MySQL, four are running ProFTPD, one is running ARK, one is running Dropbear SSH, one is running IIS, one is running Squid Proxy -- with some servers running as many as four of these products.


TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes


Thanks to @mpvillafranca94@JR0driguezB@0bscureC0de@virsoz@spalomaresg@VK_Intel@K_N1kolenko@hasherezade@botNET___@ArnaudDlms@StackGazer,@voidm4p@James_inthe_box@MakFLwana@_ddoxer@moutonplacide@JasonMilletary,@Ring0x0@precisionsec@Techhelplistcom@pollo290987@MalHunters@coldshell@0x7fff9 and @MalwareSecrets for sharing the mcconfs.