Weekly TrickBot Analysis - End of w/c 21-May-2018 to A-1000200, B-1000068, and C-1000198

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 21st May 2018. This analysis covers 2,311 unique C2 IP addresses used in 437 mcconfs across 253 versions, with highest versions of A-1000200, B-1000068, and C-1000198.

Since its first use in approximately October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. In November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version’s iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). As of late March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. This week victim hosts in that third botnet were merged into the iteration A botnet.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)

There were six new config versions discovered in the week commencing 21st May 2018 (A-1000196, A-1000197, A-1000198, A-1000199, A-1000200, and C-1000198), three the week before, and three the week before that. Five of the six new config versions extend the iteration A botnet, taking this to 1000200. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet by updating it direct from 1000185 to the same 1000198 seen in iteration A.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) – INACTIVE;
  • 445 (IBM AS Server Mapper) – INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) – INACTIVE.
In the last month the length of the C2 server lists has stabilised. In the case of iteration A, its C2 server lists have contained approximately 30 server entries. The iteration C server lists have remained, like the iteration B lists, at approximately 20 entries until the 1000198 config which merged those hosts with iteration A.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  2,311 unique) used within the 253 versions. This week’s top three entries moved up from fourth, fifth, and sixth, while the 19th and 20th were new to the top 25.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign ‘gtag’ (group tags) values used in the 437 mcconfs analysed. (Yes, I know it’s unreadable - it’s just here as a guide to show what’s in the downloadable zip file at the bottom of the post.)

TrickBot gtag Breakdown

56 C2 servers were used in the mcconfs from this week, of which 23 (41%) were new. The following graph shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers.

TrickBot SRV Count and Churn

The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below’s Y-axis is cut short to allow clearer viewing of other country counts). The new servers’ IP addresses are associated with ASN routed to: 12xRU, 3xPL, 2xUA, 2xUS, 1xCN, 1xCW, 1xIN, and 1xNL.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 45 (those with location data) of 45 (scanned by Shodan) of the 56 C2 server IP addresses used in the analysed configs.

According to Shodan’s most recent data:
  • 19 are Ubiquiti devices.
  • 22 are running Dropbear SSH, 13 are running OpenSSH, 10 are running nginx, five are running Apache, and five are running Exim.
TrickBot C2 Server IP Locations For New Configs

The following table shows the BGP allocations of C2 servers’ IP addresses to country by TrickBot version. (Once again, I know it’s unreadable - it’s just here as a guide to show what’s in the downloadable zip file at the bottom of the post.)

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Full size versions of the images included in this post are available here. I’ve also created a page documenting the various discrepancies identified in TrickBot’s mcconf files.

Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow, MalwareSecrets, and SaurabhSha15.

Article Link: https://escinsecurity.blogspot.com/2018/05/weekly-trickbot-analysis-end-of-wc-21.html