Wednesday, 21 February 2018

Weekly TrickBot Analysis - End of w/c 12-Feb-2018 to A-1000130 and B-1000051

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 12th February 2018. This analysis covers 1,547 unique C2 IP addresses used in 290 mcconfs across 148 versions, with a highest version of A-1000130 and B-1000051.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Thirteen versions were discovered in the week commencing 12th February 2018 (A-1000127, A-1000128, A-1000129, A-1000130, B-1000040, B-1000041, B-1000042, B-1000045, B-1000046, B-1000047, B-1000049, B-1000050, and B-1000051), nine the week before, and seven the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000130. Nine shared versions extend the secondary botnet which is reusing earlier version numbers, taking them to 1000051. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
This week's iteration A configs continue to have short lists (17 and fewer) of command and control (C2) servers compared to previous months. The iteration B configs continue to fluctuate their counts of C2 servers maxing out at 22; however, they remain utilising only port 443 (HTTPS) servers.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,547 unique) used within the 148 versions. Two C2 servers (212[.]14[.]51[.]43[:]449 and 212[.]14[.]51[.]56[:]449) which entered this table for the first time last week have jumped up the table following numerous uses this week. Two further C2 servers (78[.]155[.]199[.]119[:]443 and 78[.]155[.]218[.]105[:]443) have also increased their positions significantly.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 290 mcconfs analysed. 


TrickBot gtag Breakdown

105 C2 servers were used in the mcconfs from this week, of which 82 (78%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 57xRU, 8xGB, 4xUA, 3xUS, 2xBG, 2xFR, 2xNL, 2xPA, 1xCZ, and 1xEC.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 67 (those with location data) of 72 (scanned by Shodan) of the 105 IP addresses used in the analysed configs.

According to Shodan's most recent data:
  • None of these servers are MikroTik devices (historically a favourite of TrickBot). One is an ER-X router device, and one is a NanoStation 2.
  • 51 are running OpenSSH, 24 are running nginx, 11 are running Exim, seven are running Apache, five are running MySQL, two are running Postfix, one is running Dropbear SSH, and one is running Gearman (an application framework for farming out work to other machines) -- with some servers running as many as four of these products.
TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Monday, 12 February 2018

Weekly TrickBot Analysis - End of w/c 05-Feb-2018 to 1000126

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 5th February 2018. This analysis covers 1,465 unique C2 IP addresses used in 275 mcconfs across 134 versions, with a highest version of 1000126.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Nine versions were discovered in the week commencing 5th February 2018 (A-1000124, A-1000125, A-1000126, B-1000033, B-1000034, B-1000035, B-1000037, B-1000038, and B-1000039), seven the week before, and seven the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000123. Three shared versions extend the nine repeats from the last few months, where low (1000021 to 1000029) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
This week's iteration A configs reduced the number of command and control (C2) servers compared to recent weeks. The iteration B configs temporarily dropped towards previous levels but peaked at the end of the week with a greater number of C2 servers than iteration A.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,465 unique) used within the 134 versions. Two C2 servers (212[.]14[.]51[.]43[:]449 and 212[.]14[.]51[.]56[:]449) enter this table for the first time at positions 22 and 23, pushing out the bottom two servers from last week.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 275 mcconfs analysed. 


TrickBot gtag Breakdown

105 C2 servers were used in the mcconfs from this week, of which 86 (82%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 76xRU, 5xGB, 3xCH, and 2xPA.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 73 (those with location data) of 76 (scanned by Shodan) of the 105 IP addresses used in the analysed configs.

According to Shodan's most recent data:

  • None of these servers are MikroTik devices (historically a favourite of TrickBot).


  • 51 are running OpenSSH, 30 are running nginx, five are running Apache, four are running Exim, two are running Postfix, one is running Dropbear SSH, one is running MySQL, and one is running ProFTPD -- with some servers running as many as five of these products.



TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Wednesday, 7 February 2018

Weekly TrickBot Analysis - End of w/c 29-Jan-2018 to 1000123

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 29th January 2018. This analysis covers 1,379 unique C2 IP addresses used in 264 mcconfs across 125 versions, with a highest version of 1000123.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Seven versions were discovered in the week commencing 29th January 2018 (A-1000120, A-1000121, A-1000122, A-1000123, B-1000030, B-1000031, and B-1000032), seven the week before, and two the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000123. Three shared versions extend the nine repeats from the last few months, where low (1000021 to 1000029) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
This week's iteration A configs continue the recent fluctuations, but increased the number of port 449 servers slightly. The iteration B configs seen doubled the low C2 server count which had previously typified iteration B.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,379 unique) used within the 125 versions. This table stays the same as the week before due to the significant amount of new C2 server addresses.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 264 mcconfs analysed. 


TrickBot gtag Breakdown

99 C2 servers were used in the mcconfs from this week, of which 77 (78%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 71xRU, 4xNL, 1xLU, and 1xUS.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 84 (those with location data) of 86 (scanned by Shodan) of the 99 IP addresses used in the analysed configs.

Two of these servers are MikroTik devices (historically a favourite of TrickBot), and one is an ERLite-3.

60 are running OpenSSH, 34 are running nginx, 16 are running Apache, 10 are running Exim, five are running Postfix, five are running MySQL, three are running ProFTPD, one is running DarkRP, and one is running Dropbear SSH -- with some servers running as many as five of these products.


TrickBot IP Address Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version