Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 12th February 2018. This analysis covers 1,547 unique C2 IP addresses used in 290 mcconfs across 148 versions, with a highest version of A-1000130 and B-1000051.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Thirteen versions were discovered in the week commencing 12th February 2018 (A-1000127, A-1000128, A-1000129, A-1000130, B-1000040, B-1000041, B-1000042, B-1000045, B-1000046, B-1000047, B-1000049, B-1000050, and B-1000051), nine the week before, and seven the week before that. Four of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000130. Nine shared versions extend the secondary botnet which is reusing earlier version numbers, taking them to 1000051. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
According to Shodan’s most recent data:
- None of these servers are MikroTik devices (historically a favourite of TrickBot). One is an ER-X router device, and one is a NanoStation 2.
- 51 are running OpenSSH, 24 are running nginx, 11 are running Exim, seven are running Apache, five are running MySQL, two are running Postfix, one is running Dropbear SSH, and one is running Gearman (an application framework for farming out work to other machines) – with some servers running as many as four of these products.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.