Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 21st May 2018. This analysis covers 2,311 unique C2 IP addresses used in 437 mcconfs across 253 versions, with highest versions of A-1000200, B-1000068, and C-1000198.
Since its first use in approximately October 2016, TrickBot has frequently issued new versions of its XML configuration file, mcconf. Originally there was a single chain of config versions which started at 1000002. (There may have been a 1000001 but it is not been shared publicly.) I refer to this original sequence as iteration A. In November 2017 TrickBot mcconfs were issued for older version numbers than the current iteration A configs, but with different command and control (C2) servers to those in that version’s iteration A config. This indicated the start of iteration B, a new sequence of configs believed to be for a second botnet. While there is a small amount of overlap of the C2 servers between iteration A and iteration B, the majority of C2 servers are specific to an iteration (hence botnet). As of late March 2018 another iteration, iteration C, was started, once again repeating previously used version numbers but with different C2 server lists. This week victim hosts in that third botnet were merged into the iteration A botnet.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. The flatter the line, the more frequently versions are discovered. Ignore the two long, almost vertical lines which coincide with the switch from one iteration to the next. These vertical lines are purely an artefact of graphing the data in a single series. (Note: Full size versions of all the graphs and tables are available via the link at the end of this post.)
There were six new config versions discovered in the week commencing 21st May 2018 (A-1000196, A-1000197, A-1000198, A-1000199, A-1000200, and C-1000198), three the week before, and three the week before that. Five of the six new config versions extend the iteration A botnet, taking this to 1000200. The secondary, iteration B, botnet was not extended in the discovered versions and remains unchanged since 1000068 of 28th February 2018. The tertiary, iteration C, botnet was merged into the iteration A botnet by updating it direct from 1000185 to the same 1000198 seen in iteration A.
- 443 (HTTPS);
- 444 (Simple Network Paging Protocol) – INACTIVE;
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 2,311 unique) used within the 253 versions. This week’s top three entries moved up from fourth, fifth, and sixth, while the 19th and 20th were new to the top 25.
56 C2 servers were used in the mcconfs from this week, of which 23 (41%) were new. The following graph shows the proportional server count of mcconfs shared each week (when compared to the greatest count in a week), along with the percentage churn of the servers.
According to Shodan’s most recent data:
- 19 are Ubiquiti devices.
- 22 are running Dropbear SSH, 13 are running OpenSSH, 10 are running nginx, five are running Apache, and five are running Exim.
Thanks to hasherezade, mpvillafranca94, JR0driguezB, 0bscureC0de, VK_Intel, K_N1kolenko, botNET___, ArnaudDlms, StackGazer, voidm4p, James_inthe_box, MakFLwana, ddoxer, spalomaresg, virsoz, moutonplacide, JasonMilletary, Ring0x0, precisionsec, Techhelplistcom, pollo290987, MalHunters, coldshell, 0x7fff9, kobebryamV2, dvk01uk, benkow, MalwareSecrets, and SaurabhSha15.
Article Link: https://escinsecurity.blogspot.com/2018/05/weekly-trickbot-analysis-end-of-wc-21.html