Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 9th April 2018. This analysis covers 2,015 unique C2 IP addresses used in 383 mcconfs across 212 versions, with highest versions of A-1000175 and B-1000068.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.) Full size versions of all the graphs and tables are available via the link at the end of this post.
Six new versions were discovered in the week commencing 26th March 2018 (A-1000170, A-1000171, A-1000172, A-1000173, A-1000174, and A-1000175), seven the week before, and six the week before that. All six of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000175. The secondary botnet, which is reusing earlier version numbers, was not extended in the discovered versions and remains unchanged for six weeks. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 444 (Simple Network Paging Protocol) – INACTIVE;
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB).
The following table shows the top 25 servers (of 2,015 unique) used within the 212 versions. There were only two changes this week. Server 82[.]214[.]141[.]134:449 continued its push up the table from last week’s 4th position to 1st. Additionally 185[.]159[.]128[.]158:443 moved into 24th.
58 C2 servers were used in the mcconfs from this week, of which 48 (83%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below’s Y-axis is cut short to allow clearer viewing of other country counts). The new servers’ IP addresses are associated with ASN routed to: 21xRU, 10xUS, 4xPL, 3xRS, 2xLU, 1xBR, 1xDE, 1xFR, 1xHU, 1xIQ, 1xIT, 1xRO and 1xUA.
According to Shodan’s most recent data:
- 14 are Ubiquiti devices and six are MikroTik devices.
- 13 are running OpenSSH, 13 are running Dropbear SSH, 12 are running nginx, four are running Exim, three are running Apache, one is running IIS, and one is running Pro FTP.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.
Article Link: https://escinsecurity.blogspot.com/2018/04/weekly-trickbot-analysis-end-of-wc-09.html