Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 15th January 2018. This analysis covers 1,218 unique C2 IP addresses used in 248 mcconfs across 111 versions, with a highest version of 1000115.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Two versions were discovered in the week commencing 15th January 2018 (1000114 and 1000115), four the week before, and one the week before that. The two discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000115. There were no versions shared extending the six repeats from the last two months, where low (1000021 to 1000026) version numbers are reused. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.)
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 1,218 unique) used within the 111 versions. This table remains the same as for the previous three weeks.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2018/01/weekly-trickbot-analysis-end-of-wc-15.html