Version 1000160, from 28th March 2018, is the only other time (so far shared) that two different C2 server lists have been seen for a single version of mcconf (within a single iteration of the version numbers - see below). However, in this case the two server lists are dramatically different. The test list (and an exact copy used for gtag 'ser0329a') look to continue the iteration A sequence of versions, with C2 servers which share a good number of entries with those from versions 1000159 and 1000161 (as seen in the image below). The config shared by @Ring0x0 for gtag 'uk03-1', however, contains very different servers; and only one of these, 185.146.156.247:443, has been seen at any time before. (The other configs were shared by @JR0driguezB - thanks, as always.)
This variant C2 server list is obviously not a typographical error, and further demonstrates that the threat actors behind TrickBot have the ability (if not normally the need) to distribute custom C2 server lists for individual campaigns, and possibly infections.
Now, the threat actors behind TrickBot already operate two distinct 'botnets' of infections. With the primary iteration of version updates (which I call iteration A) having begun at version 1000002 (if there was a 1000001 then it has never been shared publicly) and continued through 1000160 up to the current latest version of 1000169. In the week commencing 18th December 2017 I identified a second iteration (iteration B) in shared mcconfs, and have since been shared data for 1000013 through 1000068, as shown in the following graph.
It is unlikely that this second version 1000160 config relates to the iteration B botnet. Firstly, iteration B has not been updated since the change to 1000068 on 28th February 2018. Secondly, the jump from 1000068 to 1000160 would skip a large number of version numbers for no obvious reason (although it feasibly could be done in error). Whether it indicates the start of a new iteration is unclear at this time.
***
Update: In fact this second 1000160 config did identify the start of a third infection network; the tracking of this third botnet (iteration C) begins here.
***
Now, the threat actors behind TrickBot already operate two distinct 'botnets' of infections. With the primary iteration of version updates (which I call iteration A) having begun at version 1000002 (if there was a 1000001 then it has never been shared publicly) and continued through 1000160 up to the current latest version of 1000169. In the week commencing 18th December 2017 I identified a second iteration (iteration B) in shared mcconfs, and have since been shared data for 1000013 through 1000068, as shown in the following graph.
It is unlikely that this second version 1000160 config relates to the iteration B botnet. Firstly, iteration B has not been updated since the change to 1000068 on 28th February 2018. Secondly, the jump from 1000068 to 1000160 would skip a large number of version numbers for no obvious reason (although it feasibly could be done in error). Whether it indicates the start of a new iteration is unclear at this time.
***
Update: In fact this second 1000160 config did identify the start of a third infection network; the tracking of this third botnet (iteration C) begins here.
***