Weekly TrickBot Analysis - End of w/c 12-Feb-2018 to A-1000130 and B-1000051

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 12th February 2018. This analysis covers 1,547 unique C2 IP addresses used in 290 mcconfs across 148 versions, with a highest version of A-1000130 and B-1000051.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Thirteen versions were discovered in the week commencing 12th February 2018 (A-1000127, A-1000128, A-1000129, A-1000130, B-1000040, B-1000041, B-1000042, B-1000045, B-1000046, B-1000047, B-1000049, B-1000050, and B-1000051), nine the week before, and seven the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000130. Nine shared versions extend the secondary botnet which is reusing earlier version numbers, taking them to 1000051. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

This week's iteration A configs continue to have short lists (17 and fewer) of command and control (C2) servers compared to previous months. The iteration B configs continue to fluctuate their counts of C2 servers maxing out at 22; however, they remain utilising only port 443 (HTTPS) servers.

The following table shows the top 25 servers (of  1,547 unique) used within the 148 versions. Two C2 servers (212[.]14[.]51[.]43[:]449 and 212[.]14[.]51[.]56[:]449) which entered this table for the first time last week have jumped up the table following numerous uses this week. Two further C2 servers (78[.]155[.]199[.]119[:]443 and 78[.]155[.]218[.]105[:]443) have also increased their positions significantly.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 290 mcconfs analysed. 

105 C2 servers were used in the mcconfs from this week, of which 82 (78%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 57xRU, 8xGB, 4xUA, 3xUS, 2xBG, 2xFR, 2xNL, 2xPA, 1xCZ, and 1xEC.

The following map shows the geographical location of 67 (those with location data) of 72 (scanned by Shodan) of the 105 IP addresses used in the analysed configs.

According to Shodan's most recent data:

• None of these servers are MikroTik devices (historically a favourite of TrickBot). One is an ER-X router device, and one is a NanoStation 2.

• 51 are running OpenSSH, 24 are running nginx, 11 are running Exim, seven are running Apache, five are running MySQL, two are running Postfix, one is running Dropbear SSH, and one is running Gearman (an application framework for farming out work to other machines) -- with some servers running as many as four of these products.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.