Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 8th January 2018. This analysis covers 1,195 unique C2 IP addresses used in 245 mcconfs across 109 versions, with a highest version of 1000113.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Four versions were discovered in the week commencing 8th January 2018 (1000025, 1000026, 1000112, and 1000113), one the week before, and three the week before that. Two of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000113. In contrast, two continue on from the four repeats from December 2017, where version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 1,195 unique) used within the 109 versions. This table remains the same as for the previous two weeks.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2018/01/weekly-trickbot-analysis-end-of-wc-08.html