Weekly TrickBot Analysis - End of w/c 16-Apr-2018 to A-1000182, B-1000068, and C-1000173

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 16th April 2018. This analysis covers 2,115 unique C2 IP addresses used in 397 mcconfs across 224 versions, with highest versions of A-1000182, B-1000068, and C-1000173.

Since its first use in approximately October 2016, TrickBot has frequently issued new versions of its XML configuration file mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not shared publicly.) I refer to this original sequence as iteration A. In November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is some overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). As of late March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists.

Iteration A only = 1,727 C2 servers
Iteration B only = 329 C2 servers
Iteration C only = 58 C2 servers
Iteration A & B = 13 C2 servers
Iteration A & C = 2 C2 server
Iteration B & C = 0 C2 servers
Iteration A, B & C = 0 C2 servers

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the long almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were 11 new config versions discovered in the week commencing 16th April 2018 (A-1000176, A-1000177, A-1000178, A-1000179, A-1000180, A-1000181, A-1000182, C-1000169, C-1000171, C-1000172, and C-1000173), six the week before, and seven the week before that. Of the 11 new config versions, seven extend the iteration A botnet, taking this to 1000182. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. Four of the new config versions started off a new tertiary, iteration C, botnet, starting at C-1000169.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

As with last week, the iteration A configs have pushed toward (and temporarily just over) 30 C2 servers. A single :451 (SMB) server remained during the week also. The new iteration C configs have been a similar length to the iteration B ones from earlier in the year. So far, with a cap of 20 C2 servers in their lists.

The following table shows the top 25 servers (of  2,115 unique) used within the 212 versions. While server 82[.]214[.]141[.]134:449 extended its lead at the top, additionally 185[.]159[.]128[.]158:443 jumped from a new entry last week up to the middle of the table. Lastly, 176[.]121[.]215[.]149:449 entered at the bottom of the table.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 397 mcconfs analysed. (Yes, I know it's unreadable - it's just here as a guide to show what's in the downloadable zip file at the bottom of the post.)

106 C2 servers were used in the mcconfs from this week, of which 81 (76%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 39xRU, 21xUA, 7xFR, 3xNL, 3xUS, 2xLT, 1xCA, 1xGB, 1xHU, 1xLU, 1xRS, and 1xTJ.

The following map shows the geographical location of 91 (those with location data) of 92 (scanned by Shodan) of the 106 C2 server IP addresses used in the analysed configs.

According to Shodan's most recent data:

• 13 are Ubiquiti devices and two are MikroTik devices.
• 61 are running OpenSSH, 27 are running nginx, 13 are running Dropbear SSH, nine are running Apache, nine are running Exim, six are running Postfix, three are running MySQL, two are running IIS, and one is running Pro FTP.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version. (Once again, I know it's unreadable - it's just here as a guide to show what's in the downloadable zip file at the bottom of the post.)

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @hasherezade, @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 09-Apr-2018 to A-1000175 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 9th April 2018. This analysis covers 2,015 unique C2 IP addresses used in 383 mcconfs across 212 versions, with highest versions of A-1000175 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.) Full size versions of all the graphs and tables are available via the link at the end of this post.

Six new versions were discovered in the week commencing 9th April 2018 (A-1000170, A-1000171, A-1000172, A-1000173, A-1000174, and A-1000175), seven the week before, and six the week before that. All six of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000175. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for six weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

For the last two months the iteration A configs' command and control (C2) server lists have had a maximum of 21 entries and a mean of 18.2. (The iteration B config's had a similar limit of 22 entries when they were active.) This week's configs pushed back past this count and for the first time comprised more :449 (Cray Network Semaphore Server) servers than :443 (HTTPS).

The following table shows the top 25 servers (of  2,015 unique) used within the 212 versions. There were only two changes this week. Server 82[.]214[.]141[.]134:449 continued its push up the table from last week's 4th position to 1st. Additionally 185[.]159[.]128[.]158:443 moved into 24th.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 383 mcconfs analysed. 

58 C2 servers were used in the mcconfs from this week, of which 48 (83%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 21xRU, 10xUS, 4xPL, 3xRS, 2xLU, 1xBR, 1xDE, 1xFR, 1xHU, 1xIQ, 1xIT, 1xRO and 1xUA.

The following map shows the geographical location of 46 (those with location data) of 47 (scanned by Shodan) of the 58 C2 servers used in the analysed configs.

According to Shodan's most recent data:

• 14 are Ubiquiti devices and six are MikroTik devices.
• 13 are running OpenSSH, 13 are running Dropbear SSH, 12 are running nginx, four are running Exim, three are running Apache, one is running IIS, and one is running Pro FTP.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Weekly TrickBot Analysis - End of w/c 02-Apr-2018 to A-1000169 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 2nd April 2018. This analysis covers 1,969 unique C2 IP addresses used in 374 mcconfs across 206 versions, with highest versions of A-1000169 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Seven new versions were discovered in the week commencing 2nd April 2018 (A-1000163, A-1000164, A-1000165, A-1000166, A-1000167, A-1000168, and A-1000169), six the week before, and eight the week before that. All seven of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000169. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for five weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB).

Ever since version 1000123, at the start of February, the iteration A configs' command and control (C2) server lists have had a maximum of 21 entries. (The iteration B config's had a similar limit of 22 entries when they were active.) This week's configs continued that approach, although a :451 (SMB) server was re-added, much like the middle of March.

Notably, version 1000160 was seen with two different C2 server lists this week. This has happened only once before, in December 2017, for version 1000105; although in that case it seemed to be a typographical issue (as I discuss here). However, in the recent 1000160 version the two server lists are dramatically different (as I discuss here).

The following table shows the top 25 servers (of  1,969 unique) used within the 206 versions. Server 82[.]214[.]141[.]134:449 jumped up to 4th position this week, with 31[.]134[.]60[.]181:449 and 185[.]55[.]64[.]47:449 also moving up the top 25. 109[.]95[.]113[.]130:449 moved into the top 25, straight into 15th position.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 374 mcconfs analysed. 

77 C2 servers were used in the mcconfs from this week, of which 66 (86%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 51xRU, 7xUA, 5xPL, 1xBG, 1xFR, and 1xUS.

The following map shows the geographical location of 62 (those with location data) of 64 (scanned by Shodan) of the 77 C2 servers used in the analysed configs.

According to Shodan's most recent data:

• 10 are MikroTik devices, 4 are Ubiquiti devices.
• 27 are running OpenSSH, 18 are running nginx, 11 are running Apache, eight are running Exim, three are running Dropbear SSH, three are running MySQL, three are running Postfix, one is running Jetty, one is running Pro FTP, one is running Pure FTP, and one is running VNC.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Adhoc TrickBot Analysis - 1000160

As discussed previously, while TrickBot issues configurations (mcconf) for different campaigns (group tags) under each version number, the command and control (C2) server lists for these campaigns are usually the same for a particular version. In December 2017 a version 1000105 was seen with two different C2 server lists. However, as I discussed the variations looked to be typographical in nature.

Version 1000160, from 28th March 2018, is the only other time (so far shared) that two different C2 server lists have been seen for a single version of mcconf (within a single iteration of the version numbers - see below). However, in this case the two server lists are dramatically different. The test list (and an exact copy used for gtag 'ser0329a') look to continue the iteration A sequence of versions, with C2 servers which share a good number of entries with those from versions 1000159 and 1000161 (as seen in the image below). The config shared by @Ring0x0 for gtag 'uk03-1', however, contains very different servers; and only one of these, 185.146.156.247:443, has been seen at any time before. (The other configs were shared by @JR0driguezB - thanks, as always.)

This variant C2 server list is obviously not a typographical error, and further demonstrates that the threat actors behind TrickBot have the ability (if not normally the need) to distribute custom C2 server lists for individual campaigns, and possibly infections.

Now, the threat actors behind TrickBot already operate two distinct 'botnets' of infections. With the primary iteration of version updates (which I call iteration A) having begun at version 1000002 (if there was a 1000001 then it has never been shared publicly) and continued through 1000160 up to the current latest version of 1000169. In the week commencing 18th December 2017 I identified a second iteration (iteration B) in shared mcconfs, and have since been shared data for 1000013 through 1000068, as shown in the following graph.

It is unlikely that this second version 1000160 config relates to the iteration B botnet. Firstly, iteration B has not been updated since the change to 1000068 on 28th February 2018. Secondly, the jump from 1000068 to 1000160 would skip a large number of version numbers for no obvious reason (although it feasibly could be done in error). Whether it indicates the start of a new iteration is unclear at this time.

***
Update: In fact this second 1000160 config did identify the start of a third infection network; the tracking of this third botnet (iteration C) begins here.
***

Weekly TrickBot Analysis - End of w/c 26-Mar-2018 to A-1000162 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 26th March 2018. This analysis covers 1,904unique C2 IP addresses used in 360 mcconfs across 199 versions, with highest versions of A-1000162 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Six new versions were discovered in the week commencing 26th March 2018 (A-1000157, A-1000158, A-1000159, A-1000160, A-1000161, and A-1000162), eight the week before, and six the week before that. All six of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000162. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for four weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

Ever since version 1000123, at the start of February, the iteration A configs' command and control (C2) server lists have had a maximum of 21 entries. (The iteration B config's had a similar limit of 22 entries when they were active.) There have been a few fluctuations below the high teens, but overall the average number of servers for iteration A configs has been 17.7 across the 37 most recent versions. The current resurgence in :449 servers continues, all be it the number dropped from 8 to 6 through the last week.

The following table shows the top 25 servers (of  1,904 unique) used within the 199 versions. This table underwent numerous changes since last week, with 6 servers entering the table as they were used multiple times this week.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 360 mcconfs analysed. 

49 C2 servers were used in the mcconfs from this week, of which 36 (73%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 23xRU, 7xUA, 3xFR, 2xPL, and 1xNA.

The following map shows the geographical location of 43 (those with location data) of 44 (scanned by Shodan) of the 49 C2 servers used in the analysed configs.

According to Shodan's most recent data:

• 11 are MikroTik devices, 1 is an N5N device, and 1 is an NB5 device.
• 24 are running OpenSSH, 16 are running nginx, seven are running Apache, six are running Exim, three are running MySQL, one is running Dropbear SSH, one is running node.js, one is running Pro FTP, and one is running VNC.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.