Weekly TrickBot Analysis - End of w/c 28-May-2018 to A-1000205, B-1000068, and C-1000198

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 28th May 2018. This analysis covers 2,339 unique C2 IP addresses used in 448 mcconfs across 258 versions, with highest versions of A-1000205, B-1000068, and C-1000198.

Background:
Since its first use from approximately 19th October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. On 16th November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). The iteration B botnet stopped receiving new configs on 28th February 2018. As of 28th March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. Victim hosts in that third botnet were merged into the iteration A botnet as of 23rd May 2018.

This week's analysis:
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were five new config versions discovered in the week commencing 21st May 2018 (A-1000201, A-1000202, A-1000203, A-1000204, and A-1000205), six the week before, and three the week before that. All new config versions extend the iteration A botnet, taking this to 1000205. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet on 23rd May 2018.

The following graph shows the number of server entries using ports:

• 443 (HTTPS);
• 444 (Simple Network Paging Protocol) -- INACTIVE;
• 445 (IBM AS Server Mapper) -- INACTIVE;
• 449 (Cray Network Semaphore Server); and 
• 451 (SMB) -- INACTIVE.

Since mid April, the length of the C2 server lists has stabilised significantly in iteration A config, with between 25 and 33 server entries. The percentage of :443 (HTTPS) servers in those lists has steadily increased, from 1/3rd to 2/3rd of the list, since late April.

The following table shows the top 25 servers (of  2,339 unique) used within the 258 versions. I've fixed a minor flaw in the analysis supporting this table this week. Previously the "First Used" and "Last Used" columns were selected based on sequential order, which is no longer accurate given the use of multiple infection networks. Instead, I'm now determining this values based on date of discovery, and the table is ordered to reflect the greatest number of uses, the earliest first use, the more recent last use and finally the server address. As such there are a number of changes since last week. These changes are clearer now based on a review of the "Last Used" column.

The following table shows the breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 448 mcconfs analysed. (Yes, I know it's unreadable - it's just here as a guide to show what's in the downloadable zip file at the bottom of the post.)

50 C2 servers were used in the mcconfs from this week, of which 29 (58%) were new. The following graph shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers.

The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 22xRU, 1xBR, 1xCA, 1xCR 1xCY, 1xIN, 1xRO, and 1xUS.

The following map shows the geographical location of 44 (those with location data) of 44 (scanned by Shodan) of the 50 C2 server IP addresses used in the analysed configs.

According to Shodan's most recent data:

• 19 are Ubiquiti devices.
• 24 are running Dropbear SSH, 12 are running nginx, 11 are running OpenSSH, seven are running Apache, five are running Exim, 1 is running Microsoft FTP, 1 is running Postfix, and 1 is running ProFTP.

The following table shows the BGP allocations of C2 servers' IP addresses to country by TrickBot version. (Once again, I know it's unreadable - it's just here as a guide to show what's in the downloadable zip file at the bottom of the post.)

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

Full size versions of the images included in this post are available here. I've also created a page documenting the various discrepancies identified in TrickBot's mcconf files. This week saw several versions of A-1000200 which I discuss on that page.

Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, SaurabhSha15, and abuse_ch.