Weekly TrickBot Analysis - End of w/c 26-Mar-2018 to A-1000162 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 26th March 2018. This analysis covers 1,904unique C2 IP addresses used in 360 mcconfs across 199 versions, with highest versions of A-1000162 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Six new versions were discovered in the week commencing 26th March 2018 (A-1000157, A-1000158, A-1000159, A-1000160, A-1000161, and A-1000162), eight the week before, and six the week before that. All six of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000162. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for four weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

Ever since version 1000123, at the start of February, the iteration A configs' command and control (C2) server lists have had a maximum of 21 entries. (The iteration B config's had a similar limit of 22 entries when they were active.) There have been a few fluctuations below the high teens, but overall the average number of servers for iteration A configs has been 17.7 across the 37 most recent versions. The current resurgence in :449 servers continues, all be it the number dropped from 8 to 6 through the last week.

The following table shows the top 25 servers (of  1,904 unique) used within the 199 versions. This table underwent numerous changes since last week, with 6 servers entering the table as they were used multiple times this week.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 360 mcconfs analysed. 

49 C2 servers were used in the mcconfs from this week, of which 36 (73%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 23xRU, 7xUA, 3xFR, 2xPL, and 1xNA.

The following map shows the geographical location of 43 (those with location data) of 44 (scanned by Shodan) of the 49 C2 servers used in the analysed configs.

According to Shodan's most recent data:

• 11 are MikroTik devices, 1 is an N5N device, and 1 is an NB5 device.
• 24 are running OpenSSH, 16 are running nginx, seven are running Apache, six are running Exim, three are running MySQL, one is running Dropbear SSH, one is running node.js, one is running Pro FTP, and one is running VNC.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version.

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.