Weekly TrickBot Analysis - End of w/c 19-Mar-2018 to A-1000155 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 19th March 2018. This analysis covers 1,868 unique C2 IP addresses used in 353 mcconfs across 193 versions, with highest versions of A-1000155 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Eight new versions were discovered in the week commencing 19th March 2018 (A-1000148, A-1000149, A-1000150, A-1000151, A-1000152, A-1000153, A-1000154, and A-1000155), six the week before, and four the week before that. All eight of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000155. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for three weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

This week's iteration A configs' command and control (C2) server lists were shortened to 10 servers for several versions before returning to a comparable length to those of the last three weeks'. Most notably, last week two :449 servers were switched to :451 (SMB) servers on the same IP address. After two versions using :451 these two servers were this week switched to :443 (HTTPS) on the same IP address, and remained using this port throughout the week's versions.

The following table shows the top 25 servers (of  1,815 unique) used within the 185 versions. There were no changes from last week.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 353 mcconfs analysed. 

62 C2 servers were used in the mcconfs from this week, of which 55 (89%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 24xRU, 14xUA, 10xPL, 4xFR, 1xBG, 1xKZ, and 1xSE.

The following map shows the geographical location of 44 (those with location data) of 45 (scanned by Shodan) of the 62 C2 servers used in the analysed configs.

According to Shodan's most recent data:

• 8 are MikroTik devices, 1 is an ER-X device, 1 is an N5N device, and 1 is an NB5 device.
• 17 are running nginx, 16 are running OpenSSH, nine are running Apache, four are running Dropbear SSH, four are running Exim, four are running MySQL, two are running Postfix, two are running VNC, and one is running Pure FTP.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.