Wednesday, 3 January 2018

Weekly TrickBot Analysis - End of w/c 25-Dec-2017 to 1000110

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 25th December 2017. This analysis covers 1,134 unique C2 IP addresses used in 240 mcconfs across 104 versions, with a highest version of 1000110.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Three versions were discovered in the last week (1000023, 1000024, and 1000110), six the week before, and four the week before that. Two of the versions discovered repeat early version numbers (1000023 and 1000024), following on from a similar pair (1000021 and 1000022) the week before. Given that these recently shared configs have novel campaign group tags and distinct C2 server lists compared to all previous configs, I am tracking these as part of a new, distinct 'iteration' of the version numbers. Within this (and future) analysis results you will, therefore, see the original iteration referred to as iteration A and the new one as iteration B -- where such a distinction is relevant.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
The number of C2 server entries in the iteration B configurations are fewer than almost all previous versions (and only contain servers on port 443). This, and the reuse of the version numbers, may be indicative of testing being performed in association with new campaigns.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,134 unique) used within the 104 versions. There were no changes to the ordering of the top 25 compared to the last week, with only one  of the top 25 servers (200[.]111.97.235:449) being used in one additional version.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 240 mcconfs analysed. 

TrickBot gtag Breakdown

43 C2 servers were used in the analysed week's mcconfs, of which 23 were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are allocated to 16xRU, 2xLU, 2xNL, 1xFR, 1xGB, and 1xUA.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 36 (those with location data) of the 40 (scanned by Shodan) of the 43 IP addresses used in the analysed week's configs. Five of the 40 are MikroTik devices. Of the remainder, 30 are running OpenSSH, 17 are running nginx, six are running Apache, five are running Exim, one is running ProFTP, one is running MySQL, and one is running PostgreSQL -- with some servers running as many as five of these products.

TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version