Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 2nd April 2018. This analysis covers 1,969 unique C2 IP addresses used in 374 mcconfs across 206 versions, with highest versions of A-1000169 and B-1000068.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Seven new versions were discovered in the week commencing 26th March 2018 (A-1000163, A-1000164, A-1000165, A-1000166, A-1000167, A-1000168, and A-1000169), six the week before, and eight the week before that. All seven of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000169. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for five weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 444 (Simple Network Paging Protocol) – INACTIVE;
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB).
Notably, version 1000160 was seen with two different C2 server lists this week. This has happened only once before, in December 2017, for version 1000105; although in that case it seemed to be a typographical issue (as I discuss here). However, in the recent 1000160 version the two server lists are dramatically different (as I discuss here).
The following table shows the top 25 servers (of 1,969 unique) used within the 206 versions. Server 82[.]214[.]141[.]134:449 jumped up to 4th position this week, with 31[.]134[.]60[.]181:449 and 185[.]55[.]64[.]47:449 also moving up the top 25. 109[.]95[.]113[.]130:449 moved into the top 25, straight into 15th position.
77 C2 servers were used in the mcconfs from this week, of which 66 (86%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below’s Y-axis is cut short to allow clearer viewing of other country counts). The new servers’ IP addresses are associated with ASN routed to: 51xRU, 7xUA, 5xPL, 1xBG, 1xFR, and 1xUS.
According to Shodan’s most recent data:
- 10 are MikroTik devices, 4 are Ubiquiti devices.
- 27 are running OpenSSH, 18 are running nginx, 11 are running Apache, eight are running Exim, three are running Dropbear SSH, three are running MySQL, three are running Postfix, one is running Jetty, one is running Pro FTP, one is running Pure FTP, and one is running VNC.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.
Article Link: https://escinsecurity.blogspot.com/2018/04/weekly-trickbot-analysis-end-of-wc-02.html