Saturday, 10 March 2018

Weekly TrickBot Analysis - End of w/c 19-Feb-2018 to A-1000133 and B-1000061

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 19th February 2018. This analysis covers 1,637 unique C2 IP addresses used in 322 mcconfs across 166 versions, with a highest version of A-1000133 and B-1000061.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Eleven new versions were discovered in the week commencing 19th February 2018 (A-1000131, A-1000132, A-1000133, B-1000052, B-1000054, B-1000055, B-1000056, B-1000057, B-1000058, B-1000059, and B-1000061), thirteen the week before, and nine the week before that. Three of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000133. Eight shared versions extend the secondary botnet which is reusing earlier version numbers, taking them to 1000061. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol);
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
This week's iteration A configs' command and control (C2) server lists increased in length slightly, but remain short compared to previous months. The iteration B configs show a pattern of fluctuating toward a count of 20 C2 servers; however, they introduced a new port, 444 (Simple Network Paging Protocol), to the last three versions. It is unclear at this time if this is a typographical error (such errors have been seen before) or a new development.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,637 unique) used within the 166 versions. The table involves some shuffling at the top, with a few new entries near the bottom. However, in part this is driven by some older configs that were shared.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 322 mcconfs analysed. 

TrickBot gtag Breakdown

92 C2 servers were used in the mcconfs from this week, of which 71 (77%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 45xRU, 9xUA, 5xGB, 3xUS, 3xFR, 2xEE, 2xNL, 1xLU, and 1xPA.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 71 (those with location data) of 74 (scanned by Shodan) of the 92 C2 servers used in the analysed configs.

According to Shodan's most recent data:
  • 50 are running OpenSSH, 19 are running nginx, four are running Exim, three are running Apache, three are running Dropbear SSH, two are running Postfix, and one is running PostgreSQL.
TrickBot C2 Server Locations For New Configs

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.