Since its first use in approximately October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. In November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). As of late March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. This week victim hosts in that third botnet were merged into the iteration A botnet.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)
There were six new config versions discovered in the week commencing 21st May 2018 (A-1000196, A-1000197, A-1000198, A-1000199, A-1000200, and C-1000198), three the week before, and three the week before that. Five of the six new config versions extend the iteration A botnet, taking this to 1000200. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet by updating its configuration direct from 1000185 to the same 1000198 seen in iteration A (well done to JR0driguezB for first spotting this).
- 443 (HTTPS);
- 444 (Simple Network Paging Protocol) -- INACTIVE;
- 445 (IBM AS Server Mapper) -- INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) -- INACTIVE.
The following map shows the geographical location of 45 (those with location data) of 45 (scanned by Shodan) of the 56 C2 server IP addresses used in the analysed configs.
According to Shodan's most recent data:
The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version. (Once again, I know it's unreadable - it's just here as a guide to show what's in the downloadable zip file at the bottom of the post.)
According to Shodan's most recent data:
- 19 are Ubiquiti devices.
- 22 are running Dropbear SSH, 13 are running OpenSSH, 10 are running nginx, five are running Apache, and five are running Exim.
Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.
Full size versions of the images included in this post are available here. I've also created a page documenting the various discrepancies identified in TrickBot's mcconf files.
Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, and SaurabhSha15.
Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, and SaurabhSha15.
