Monday 20 August 2018

Weekly TrickBot Analysis - End of w/c 06-Aug-2018 to A-1000245, B-1000068, and C-1000198

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 6th August 2018. This analysis covers 2,554 unique C2 IP addresses used in 533 mcconfs across 297 versions, with highest versions of A-1000245, B-1000068, and C-1000198.

Background:
Since its first use from approximately 19th October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. On 16th November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). The iteration B botnet stopped receiving new configs on 28th February 2018. As of 28th March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. Victim hosts in that third botnet were merged into the iteration A botnet as of 23rd May 2018.

This week's analysis:
Figure 1 shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were three new config versions discovered in the week commencing 6th August 2018 (A-1000243, A-1000244, and A-1000245), four the week before, and four the week before that. All new config versions extend the iteration A botnet, taking this to 1000245. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet on 23rd May 2018.

TrickBot Version Discovery Dates
Figure 1 - TrickBot Version Discovery Dates

The following graphs (Figures 2 and 3) show the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) -- INACTIVE;
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
Figure 2 is for iteration A configs, Figure 3 is for previous iteration B and C configs. Since mid April 2018, the length of the C2 server lists has stabilised significantly in iteration A configs, with between 25 and 33 server entries. Between April 2018 and late June 2018, the percentage of :443 (HTTPS) servers in those lists increased (albeit with intermittent, temporary drops), from 1/3rd to almost all of the list. During June and July 2018, the number of server entries and the proportion of :443 (HTTPS) servers saw little fluctuation. As of August 2018, the proportion of :443 (HTTPS) servers has fallen somewhat.

TrickBot SRV Port Usage (Iteration A)
Figure 2 - TrickBot SRV Port Usage (Iteration A)

TrickBot SRV Port Usage (Iterations B and C)
Figure 3 - TrickBot SRV Port Usage (Iterations B and C)

Figure 4 shows the top 25 servers (of  2,575 unique) used within the 297 versions. Server 109[.]86[.]227[.]152[:]443 introduced in May reached 2nd position in the second week of July. However, this server has now dropped out of configs. Server 158[.]58[.]131[.]54[:]443 continues to be used and has caught up in 3rd place, with 182[.]253[.]210[.]130[:]449 close behind. Finally, 70[.]79[.]178[.]120[:]449 entered the top 25 this week at 20th spot.

TrickBot Top 25 SRV
Figure 4 - TrickBot Top 25 SRV

Figure 5 shows the number of mcconfs per campaign identifier for identifiers seen more than once. A full breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 533 mcconfs analysed is provided in the downloadable zip file at the bottom of the post.


TrickBot Campaign mcconf Counts (where seen more than once)
Figure 5 - TrickBot Campaign mcconf Counts (where seen more than once)

38 unique C2 servers were used in the mcconfs from this week, of which 17 (45%) were new. Figure 6 shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers. The linear churn trend line (dotted) highlights that the churn percentage has been reducing since December 2017, with an increasing number of servers being re-used from one week to the next. However, the 8 week rolling average (dashed) shows that this long-term trend recently levelled off.

The reduced churn percentage, regular number of unique C2 servers used per week, stabilised length of mcconf server list, and stable percentage of :443 servers through the last few months all demonstrate the increased maturity and stability of TrickBot infrastructure management.

TrickBot Weekly Advertised SRV Count and Churn
Figure 6 - TrickBot Weekly Advertised SRV Count and Churn

The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so Figure 7's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 4xRU, 3xFR, 3xUA, 2xIN, 1xAU, 1xGE, 1xNO, 1xSE, and 1xUS.

TrickBot SRV IP Address BGP Prefix Country Codes
Figure 7 - TrickBot SRV IP Address BGP Prefix Country Codes

Figure 8 shows the geographical location of 36 (those with location data) of 36 (scanned by Shodan) of the 38 C2 server IP addresses used in the analysed configs.

According to Shodan's most recent data:
  • Eight are Ubiquiti devices and four are MikroTik devices.
  • 15 are running nginx, 15 are running OpenSSH, 11 are running Dropbear SSH, three are running Squid HTTP proxy, two are running PostgreSQL, one is running Apache, one is running Exim, one is running IIS, one is running uc-httpd, and one is running VNC.
TrickBot C2 Server IP Locations For New Configs
Figure 8 - TrickBot C2 Server IP Locations For New Configs

Figure 9 shows the top 25 BGP prefixes used by TrickBot for C2 servers. A breakdown of the BGP allocations of C2 servers' IP addresses to country by TrickBot version is provided in the downloadable zip file at the bottom of the post.

TrickBot Top 25 BGP Prefixes
Figure 9 - TrickBot Top 25 BGP Prefixes

Full size versions of the figures included in this post are available here, along with two breakdowns (gtag and BGP) which are too large to show above. I've also created a page documenting the various discrepancies identified in TrickBot's mcconf files.

Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, SaurabhSha15, abuse_ch, HerbieZimmerman, Artilllerie, and mesa_matt.

This post was made by @EscInSecurity and first appeared on https://escinsecurity.blogspot.com/.

Monday 13 August 2018

Weekly TrickBot Analysis - End of w/c 30-Jul-2018 to A-1000242, B-1000068, and C-1000198

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 30th July 2018. This analysis covers 2,537 unique C2 IP addresses used in 529 mcconfs across 294 versions, with highest versions of A-1000242, B-1000068, and C-1000198.

Background:
Since its first use from approximately 19th October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. On 16th November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). The iteration B botnet stopped receiving new configs on 28th February 2018. As of 28th March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. Victim hosts in that third botnet were merged into the iteration A botnet as of 23rd May 2018.

This week's analysis:
Figure 1 shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were four new config versions discovered in the week commencing 30th July 2018 (A-1000239, A-1000240, A-1000241, and A-1000242), four the week before, and five the week before that. All new config versions extend the iteration A botnet, taking this to 1000242. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet on 23rd May 2018.

TrickBot Version Discovery Dates
Figure 1 - TrickBot Version Discovery Dates

The following graphs (Figures 2 and 3) show the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) -- INACTIVE;
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
Figure 2 is for iteration A configs, Figure 3 is for previous iteration B and C configs. Since mid April 2018, the length of the C2 server lists has stabilised significantly in iteration A configs, with between 25 and 33 server entries. Between April 2018 and late June 2018, the percentage of :443 (HTTPS) servers in those lists increased (albeit with intermittent, temporary drops), from 1/3rd to almost all of the list. Since late June 2018, the number of server entries and the proportion of :443 (HTTPS) servers has seen little fluctuation until this week.

TrickBot SRV Port Usage (Iteration A)
Figure 2 - TrickBot SRV Port Usage (Iteration A)

TrickBot SRV Port Usage (Iterations B and C)
Figure 3 - TrickBot SRV Port Usage (Iterations B and C)

Figure 4 shows the top 25 servers (of  2,558 unique) used within the 294 versions. Server 109[.]86[.]227[.]152[:]443 introduced in May reached 2nd position several weeks ago. It is close to becoming the most used C2 server. Server 158[.]58[.]131[.]54[:]443 has also seen ongoing use and is not far behind.

TrickBot Top 25 SRV
Figure 4 - TrickBot Top 25 SRV

Figure 5 shows the number of mcconfs per campaign identifier for identifiers seen more than once. A full breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 529 mcconfs analysed is provided in the downloadable zip file at the bottom of the post.


TrickBot Campaign mcconf Counts (where seen more than once)
Figure 5 - TrickBot Campaign mcconf Counts (where seen more than once)

44 unique C2 servers were used in the mcconfs from this week, of which 25 (57%) were new. Figure 6 shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers. The linear churn trend line (dotted) highlights that the churn percentage is reducing, with an increasing number of servers being re-used from one week to the next. (The 8 week rolling average, dashed, shows that this trend recently levelled off.) Other than last week, the previous twelve weeks had seen the number of new servers detected averaging just under 50, with counts of 50, 58, 56, 50, 52, 35, 50, 50, 45, 45, 28, and 44.

The reducing churn percentage, regular number of unique C2 servers used per week, stabilised length of mcconf server list, and stable percentage of :443 servers all demonstrate the increased maturity and stability of TrickBot infrastructure management.

TrickBot Weekly Advertised SRV Count and Churn
Figure 6 - TrickBot Weekly Advertised SRV Count and Churn

The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so Figure 7's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 12xRU, 2xID, 2xLU, 2xUS, 1xAR, 1xAT, 1xBR, 1xES, 1xGH, 1xIN, and 1xPL.

TrickBot SRV IP Address BGP Prefix Country Codes
Figure 7 - TrickBot SRV IP Address BGP Prefix Country Codes

Figure 8 shows the geographical location of 40 (those with location data) of 40 (scanned by Shodan) of the 44 C2 server IP addresses used in the analysed configs.

According to Shodan's most recent data:
  • Nine are Ubiquiti devices and five are MikroTik devices.
  • 21 are running nginx, 14 are running Dropbear SSH, 13 are running OpenSSH, two are running Apache, two are running uc-httpd, one is running Exim, and one is running IIS.
TrickBot C2 Server IP Locations For New Configs
Figure 8 - TrickBot C2 Server IP Locations For New Configs

Figure 9 shows the top 25 BGP prefixes used by TrickBot for C2 servers. A breakdown of the BGP allocations of C2 servers' IP addresses to country by TrickBot version is provided in the downloadable zip file at the bottom of the post.

TrickBot Top 25 BGP Prefixes
Figure 9 - TrickBot Top 25 BGP Prefixes

Full size versions of the figures included in this post are available here, along with two breakdowns (gtag and BGP) which are too large to show above. I've also created a page documenting the various discrepancies identified in TrickBot's mcconf files.

Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, SaurabhSha15, abuse_ch, HerbieZimmerman, Artilllerie, and mesa_matt.

This post was made by @EscInSecurity and first appeared on https://escinsecurity.blogspot.com/.

Monday 6 August 2018

Weekly TrickBot Analysis - End of w/c 23-Jul-2018 to A-1000238, B-1000068, and C-1000198

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 23rd July 2018. This analysis covers 2,512 unique C2 IP addresses used in 524 mcconfs across 290 versions, with highest versions of A-1000238, B-1000068, and C-1000198.

Background:
Since its first use from approximately 19th October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. On 16th November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). The iteration B botnet stopped receiving new configs on 28th February 2018. As of 28th March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. Victim hosts in that third botnet were merged into the iteration A botnet as of 23rd May 2018.

This week's analysis:
Figure 1 shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were four new config versions discovered in the week commencing 23rd July 2018 (A-1000235, A-1000236, A-1000237, and A-1000238), five the week before, and five the week before that. All new config versions extend the iteration A botnet, taking this to 1000238. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet on 23rd May 2018.

TrickBot Version Discovery Dates
Figure 1 - TrickBot Version Discovery Dates

The following graphs (Figures 2 and 3) show the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) -- INACTIVE;
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
Figure 2 is for iteration A configs, Figure 3 is for previous iteration B and C configs. Since mid April 2018, the length of the C2 server lists has stabilised significantly in iteration A configs, with between 25 and 33 server entries. Between April 2018 and late June 2018, the percentage of :443 (HTTPS) servers in those lists increased (albeit with intermittent, temporary drops), from 1/3rd to almost all of the list. Since late June 2018, the number of server entries and the proportion of :443 (HTTPS) servers has seen little fluctuation.

TrickBot SRV Port Usage (Iteration A)
Figure 2 - TrickBot SRV Port Usage (Iteration A)

TrickBot SRV Port Usage (Iterations B and C)
Figure 3 - TrickBot SRV Port Usage (Iterations B and C)

Figure 4 shows the top 25 servers (of  2,533 unique) used within the 290 versions. Server 109[.]86[.]227[.]152[:]443 continues to be used having been introduced in May and reached 2nd position several weeks ago. Two other servers, 93[.]109[.]242[.]134[:]443 and 158[.]58[.]131[.]54[:]443, have also seen ongoing use in 3rd and 4th place. Server 182[.]253[.]210[.]130[:]449 has continued climbing the list and is now in 5th place.

TrickBot Top 25 SRV
Figure 4 - TrickBot Top 25 SRV

Figure 5 shows the number of mcconfs per campaign identifier for identifiers seen more than once. A full breakdown of detected TrickBot campaign 'gtag' (group tags) values used in the 524 mcconfs analysed is provided in the downloadable zip file at the bottom of the post.


TrickBot Campaign mcconf Counts (where seen more than once)
Figure 5 - TrickBot Campaign mcconf Counts (where seen more than once)

28 unique C2 servers were used in the mcconfs from this week, of which 6 (21%) were new. Figure 6 shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers. The churn trend line highlights that the churn percentage is reducing, with an increasing number of servers being re-used from one week to the next. Prior to this week, the last ten weeks had seen the number of new servers detected averaging just under 50, with counts of 50, 58, 56, 50, 52, 35, 50, 50, 45, and 45.

The reducing churn percentage, regular number of unique C2 servers used per week, stabilised length of mcconf server list, and stable percentage of :443 servers all demonstrate the increased maturity and stability of TrickBot infrastructure management.

TrickBot Weekly Advertised SRV Count and Churn
Figure 6 - TrickBot Weekly Advertised SRV Count and Churn

The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so Figure 7's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 2xNL, 2xUA, 1xCA, and 1xRU.

TrickBot SRV IP Address BGP Prefix Country Codes
Figure 7 - TrickBot SRV IP Address BGP Prefix Country Codes

Figure 8 shows the geographical location of 28 (those with location data) of 28 (scanned by Shodan) of the 28 C2 server IP addresses used in the analysed configs.

According to Shodan's most recent data:
  • 7 are Ubiquiti devices and one is a MikroTik device.
  • 21 are running nginx, 13 are running Dropbear SSH, 10 are running OpenSSH, two are running Exim, one is running Apache, and one is running uc-httpd.
TrickBot C2 Server IP Locations For New Configs
Figure 8 - TrickBot C2 Server IP Locations For New Configs

Figure 9 shows the top 25 BGP prefixes used by TrickBot for C2 servers. A breakdown of the BGP allocations of C2 servers' IP addresses to country by TrickBot version is provided in the downloadable zip file at the bottom of the post.

TrickBot Top 25 BGP Prefixes
Figure 9 - TrickBot Top 25 BGP Prefixes

Full size versions of the figures included in this post are available here, along with two breakdowns (gtag and BGP) which are too large to show above. I've also created a page documenting the various discrepancies identified in TrickBot's mcconf files.

Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, SaurabhSha15, abuse_ch, HerbieZimmerman, Artilllerie, and mesa_matt.

This post was made by @EscInSecurity and first appeared on https://escinsecurity.blogspot.com/.