Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 2nd April 2018. This analysis covers 1,969 unique C2 IP addresses used in 374 mcconfs across 206 versions, with highest versions of A-1000169 and B-1000068.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Seven new versions were discovered in the week commencing 26th March 2018 (A-1000163, A-1000164, A-1000165, A-1000166, A-1000167, A-1000168, and A-1000169), six the week before, and eight the week before that. All seven of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000169. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for five weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 444 (Simple Network Paging Protocol) – INACTIVE;
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB).
Notably, version 1000160 was seen with two different C2 server lists this week. This has happened only once before, in December 2017, for version 1000105; although in that case it seemed to be a typographical issue (as I discuss here). However, in the recent 1000160 version the two server lists are dramatically different (as I discuss here).
According to Shodan’s most recent data:
- 10 are MikroTik devices, 4 are Ubiquiti devices.
- 27 are running OpenSSH, 18 are running nginx, 11 are running Apache, eight are running Exim, three are running Dropbear SSH, three are running MySQL, three are running Postfix, one is running Jetty, one is running Pro FTP, one is running Pure FTP, and one is running VNC.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.