Sunday, 30 September 2018

Weekly TrickBot Analysis - End of w/c 03-Sep-2018 to A-1000257, B-1000068, and C-1000198

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 3rd September 2018. This analysis covers 2,630 unique C2 IP addresses used in 564 mcconfs across 309 versions, with highest versions of A-1000257, B-1000068, and C-1000198.

Background:
Since its first use from approximately 19th October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. On 16th November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). The iteration B botnet stopped receiving new configs on 28th February 2018. As of 28th March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. Victim hosts in that third botnet were merged into the iteration A botnet as of 23rd May 2018.

This week's analysis:
Figure 1 shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were four new config versions discovered in the week commencing 3rd September 2018, (A-1000254, A-1000255, A-1000256, and A-1000257), three the week before, and three the week before that. All new config versions extend the iteration A botnet, taking this to 1000257. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet on 23rd May 2018.

TrickBot Version Discovery Dates
Figure 1 - TrickBot Version Discovery Dates

The following graphs (Figures 2 and 3) show the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) -- INACTIVE;
  • 445 (IBM AS Server Mapper) -- INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) -- INACTIVE.
Figure 2 is for iteration A configs, Figure 3 is for previous iteration B and C configs. Since mid April 2018, the length of the C2 server lists has stabilised significantly in iteration A configs, with between 25 and 33 server entries. Between April 2018 and late June 2018, the percentage of :443 (HTTPS) servers in those lists increased (albeit with intermittent, temporary drops), from 1/3rd to almost all of the list. During June and July 2018, the number of server entries and the proportion of :443 (HTTPS) servers saw little fluctuation. As of August 2018, the proportion of :443 (HTTPS) servers has fallen to approximately 2/3rds.

TrickBot SRV Port Usage (Iteration A)
Figure 2 - TrickBot SRV Port Usage (Iteration A)

TrickBot SRV Port Usage (Iterations B and C)
Figure 3 - TrickBot SRV Port Usage (Iterations B and C)

Figure 4 shows the top 25 servers (of  2,652 unique) used within the 309 versions. After taking first place three weeks ago, server 158[.]58[.]131[.]54[:]443 was only present in three of the four versions from this week. 70[.]79[.]178[.]120[:]449 and 68[.]109[.]83[.]22[:]443 continued being used throughout, however, and continued their climb up the top 25 list.

TrickBot Top 25 SRV
Figure 4 - TrickBot Top 25 SRV

Figure 5 shows the number of mcconfs per campaign identifier for identifiers seen more than once. 


TrickBot Campaign mcconf Counts (where seen more than once)
Figure 5 - TrickBot Campaign mcconf Counts (where seen more than once)

38 unique C2 servers were used in the mcconfs from this week, of which 19 (50%) were new. Figure 6 shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers. The linear churn trend line (dotted) highlights that the churn percentage has been reducing since December 2017, with an increasing number of servers being re-used from one week to the next. However, the 8 week rolling average (dashed) shows that this long-term trend recently levelled off.

The reduced churn percentage, regular number of unique C2 servers used per week, stabilised length of mcconf server list, and stable percentage of :443 servers through the last few months all demonstrate the increased maturity and stability of TrickBot infrastructure management.

TrickBot Weekly Advertised SRV Count and Churn
Figure 6 - TrickBot Weekly Advertised SRV Count and Churn

The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so Figure 7's Y-axis is cut short to allow clearer viewing of other country counts). The new servers' IP addresses are associated with ASN routed to: 3xUA, 3xUS, 2xID, 2xRU, 1xAT, 1xDE, 1xFR, 1xGT, 1xLT, 1xNP, 1xPH, 1xRO, and 1xTR

TrickBot SRV IP Address BGP Prefix Country Codes
Figure 7 - TrickBot SRV IP Address BGP Prefix Country Codes

Figure 8 shows the geographical location of 37 (those with location data) of 37 (scanned by Shodan) of the 38 C2 server IP addresses used in the analysed configs.

According to Shodan's most recent data:
  • Nine are MikroTik devices and seven are Ubiquiti devices.
  • 13 are running OpenSSH, 13 are running nginx, six are running Dropbear SSH, two are running Apache, two are running Postfix, two are running Squid HTTP proxy, and one is running VNC.
TrickBot C2 Server IP Locations For New Configs
Figure 8 - TrickBot C2 Server IP Locations For New Configs

Figure 9 shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes
Figure 9 - TrickBot Top 25 BGP Prefixes

Full size versions of the figures included in this post are available here. I also have a page documenting the various discrepancies identified in TrickBot's mcconf files.

Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, _ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow_, MalwareSecrets, SaurabhSha15, abuse_ch, HerbieZimmerman, Artilllerie, and mesa_matt.

This post was made by @EscInSecurity and first appeared on https://escinsecurity.blogspot.com/.