There have been times when multiple server lists have been seen for a particular version number of mcconf, with such occurrences having one of two explanations:
- One reason is that the distinct lists are from distinct botnets. While there is a core TrickBot botnet (iteration A through the version numbers), so far several others have been seen active for periods of time.
- However, in some cases the TrickBot operators have simply, presumably unintentionally, created discrepancies in configs - I refer to these as 'fumbles'.
Version 1000238, from 26th July 2018 may have seen just such a fumble.
While the test 'tt0002' gtag for this version was distributed with a distinct C2 server list compared to 1000237 (thanks to @JR0driguez for the share), one researcher (@James_inthe_box) shared a 'ser0726us' gtag for version 1000238 that had a C2 server list matching that of 1000237. In contrast, two other 1000238 mcconfs shared since had the 'tt0002' C2 server list - and one of these was a second copy of 'ser0726us' (shared by @MalHunters). The other was for gtag 'sat25' and was shared by @James_inthe_box.
Figure 1 illustrates the differences, most notably with the additional entry present in the 'tt0002', second 'ser0726us', and 'sat25' gtag 1000238 configs. I've highlighted key entries to aid a more detailed review.
 |
| Figure 1 - C2 Server Lists for Versions 1000237 and 1000238 |
At this time, the initial 'ser0726us' looks to have been a fumble - a premature release without updates to the C2 server list.
However, I shall monitor for subsequent distinct versions indicative of a new botnet.
However, I shall monitor for subsequent distinct versions indicative of a new botnet.
