TrickBot mcconf 'fumbles'

Since its first use in approximately October 2016, TrickBot has frequently issued new versions of its XML configuration file mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not shared publicly.) I refer to this original sequence as iteration A. In November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version's iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is some overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). As of late March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists.

On a number of occasions the operators of TrickBot have (presumably inadvertently) introduced small temporary discrepancies in their mcconf configuration files. These discrepancies have taken various forms, from typographical errors to inconsistencies in the lists of command and control (C2) servers.

So far the following 'fumbles' have been noted:

A-1000105 (Dec, 2017) - A typographical error was introduced in one instance of the version A-1000105 config whereby two IP addresses were missing the first digit from their first quads - https://escinsecurity.blogspot.com/2017/12/adhoc-trickbot-analysis-1000105.html

B-1000040 (Feb, 2018) - A typographical error was introduced in the version B-1000040 config whereby a single server entry listing contained two ports - https://twitter.com/JR0driguezB/status/963097120722030592

C-1000183 (Apr, 2018) - A typographical error was introduced in the version C-1000183 config whereby the XML attributes in the autorun section of the mcconf were missing their surrounding quotation marks, producing invalid XML - https://twitter.com/JR0driguezB/status/990993716885295104

A-1000188 (May, 2018) - An ordering discrepancy was introduced between two instances of the version A-1000188 config whereby a server entry appeared in two different positions within otherwise identical server lists - https://twitter.com/EscInSecurity/status/993521672115445760

A-1000200 (May, 2018) - A likely typographical error caused the A-1000200 config to be issued twice with two different C2 server lists. Version A-1000200 was first discovered on 26th May with a C2 server list containing 29 servers. On the 29th May version A-1000201 was discovered with a distinct list containing 25 servers. Several gtags were discovered in conjunction with version A-1000201, including ser0529 (note that some gtags seem to employ dates in their numbering at times). On the 30th May a new version of A-1000200 (with gtag ser0530) was discovered issued with the same C2 server list as for A-1000201. This makes this distinct from the original A-1000200 issued on the 26th. This second A-1000200 does not look to be a new iteration used in a new infection network due to the fact its C2 server list exactly matches A-1000201 which came before it, and versions A-1000202, A-1000203, A-1000204, and A-1000205 have all had just a single config version (as of 3rd June).
https://twitter.com/EscInSecurity/status/1003306197750042624

A-1000238 (Jul, 2018) - A likely premature release of a 'ser0726us' campaign mcconf for this version showed the same list of C2 servers as A-1000237. However, the 'tt0002', a subsequent second copy of 'ser0726us', and a 'sat25' config all show a distinct A-1000238 C2 server list.
https://escinsecurity.blogspot.com/2018/08/adhoc-trickbot-analysis-1000238.html

Alongside these discrepancies, it's worth noting a few observations as to how configuration files are updated:
  • Except where discrepancies occur, the C2 server lists are the same within a particular version number, no matter the group tag (gtag) campaign the configuration is marked with. For example, the lists in version A-1000004 were the same for both gtag "tt0002" and "not3".
  • New versions in iteration A are always accompanied by a change in the C2 server list. In contrast, new versions in iterations B and C sometimes reuse the previous version's list of servers.
  • On average approximately 75% of the C2 servers used in the configs discovered in any one week have never been used before that week.


Thanks to @hasherezade, @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9, @kobebryamV2, and @MalwareSecrets for sharing the mcconfs.