Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 5th February 2018. This analysis covers 1,465 unique C2 IP addresses used in 275 mcconfs across 134 versions, with a highest version of 1000126.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Nine versions were discovered in the week commencing 5th February 2018 (A-1000124, A-1000125, A-1000126, B-1000033, B-1000034, B-1000035, B-1000037, B-1000038, and B-1000039), seven the week before, and seven the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000123. Three shared versions extend the nine repeats from the last few months, where low (1000021 to 1000029) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 1,465 unique) used within the 134 versions. Two C2 servers (212[.]14[.]51[.]43[:]449 and 212[.]14[.]51[.]56[:]449) enter this table for the first time at positions 22 and 23, pushing out the bottom two servers from last week.
According to Shodan’s most recent data:
- None of these servers are MikroTik devices (historically a favourite of TrickBot).
- 51 are running OpenSSH, 30 are running nginx, five are running Apache, four are running Exim, two are running Postfix, one is running Dropbear SSH, one is running MySQL, and one is running ProFTPD – with some servers running as many as five of these products.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2018/02/weekly-trickbot-analysis-end-of-wc-05.html