Weekly TrickBot Analysis - End of w/c 02-Apr-2018 to A-1000169 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 2nd April 2018. This analysis covers 1,969 unique C2 IP addresses used in 374 mcconfs across 206 versions, with highest versions of A-1000169 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Seven new versions were discovered in the week commencing 26th March 2018 (A-1000163, A-1000164, A-1000165, A-1000166, A-1000167, A-1000168, and A-1000169), six the week before, and eight the week before that. All seven of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000169. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for five weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) – INACTIVE;
  • 445 (IBM AS Server Mapper) – INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).
Ever since version 1000123, at the start of February, the iteration A configs’ command and control (C2) server lists have had a maximum of 21 entries. (The iteration B config’s had a similar limit of 22 entries when they were active.) This week’s configs continued that approach, although a :451 (SMB) server was re-added, much like the middle of March.

Notably, version 1000160 was seen with two different C2 server lists this week. This has happened only once before, in December 2017, for version 1000105; although in that case it seemed to be a typographical issue (as I discuss here). However, in the recent 1000160 version the two server lists are dramatically different (as I discuss here).

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,969 unique) used within the 206 versions. Server 82[.]214[.]141[.]134:449 jumped up to 4th position this week, with 31[.]134[.]60[.]181:449 and 185[.]55[.]64[.]47:449 also moving up the top 25. 109[.]95[.]113[.]130:449 moved into the top 25, straight into 15th position.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign ‘gtag’ (group tags) values used in the 374 mcconfs analysed. 

TrickBot gtag Breakdown

77 C2 servers were used in the mcconfs from this week, of which 66 (86%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below’s Y-axis is cut short to allow clearer viewing of other country counts). The new servers’ IP addresses are associated with ASN routed to: 51xRU, 7xUA, 5xPL, 1xBG, 1xFR, and 1xUS.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 62 (those with location data) of 64 (scanned by Shodan) of the 77 C2 servers used in the analysed configs.

According to Shodan’s most recent data:
  • 10 are MikroTik devices, 4 are Ubiquiti devices.
  • 27 are running OpenSSH, 18 are running nginx, 11 are running Apache, eight are running Exim, three are running Dropbear SSH, three are running MySQL, three are running Postfix, one is running Jetty, one is running Pro FTP, one is running Pure FTP, and one is running VNC.
TrickBot C2 Server Locations For New Configs

The following table shows the BGP allocations of C2 servers’ IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Article Link: https://escinsecurity.blogspot.com/2018/04/weekly-trickbot-analysis-end-of-wc-02.html