Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 25th December 2017. This analysis covers 1,134 unique C2 IP addresses used in 240 mcconfs across 104 versions, with a highest version of 1000110.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Three versions were discovered in the last week (1000023, 1000024, and 1000110), six the week before, and four the week before that. Two of the versions discovered repeat early version numbers (1000023 and 1000024), following on from a similar pair (1000021 and 1000022) the week before. Given that these recently shared configs have novel campaign group tags and distinct C2 server lists compared to all previous configs, I am tracking these as part of a new, distinct ‘iteration’ of the version numbers. Within this (and future) analysis results you will, therefore, see the original iteration referred to as iteration A and the new one as iteration B – where such a distinction is relevant.
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 1,134 unique) used within the 104 versions. There were no changes to the ordering of the top 25 compared to the last week, with only one of the top 25 servers (200[.]111.97.235:449) being used in one additional version.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell and @0x7fff9 for sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2018/01/weekly-trickbot-analysis-end-of-wc-25.html