Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 26th February 2018. This analysis covers 1,722 unique C2 IP addresses used in 332 mcconfs across 176 versions, with highest versions of A-1000137 and B-1000068.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Nine new versions were discovered in the week commencing 26th February 2018 (A-1000134, A-1000135, A-1000137, B-1000062, B-1000063, B-1000064, B-1000065, B-1000067, and B-1000068), eleven the week before, and thirteen the week before that. Three of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000137. Six shared versions extend the secondary botnet which is reusing earlier version numbers, taking them to 1000068. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.) The graph clearly shows that the secondary botnet iteration B versions are being published at a far faster rate than the original iteration As.
In addition to the above, an unusual version config was shared with a version number of 4321123. While this is the same length as previously used versions, it is clearly dissociated from either iteration A or B. The actual config for this version had a gtag of ‘tm26’ and contained a command and control server list which was a duplicate of that used in B-1000063. It is unclear where this single mcconf fits into the existing campaigns at this time, and so it is not used in further analysis.
- 443 (HTTPS);
- 444 (Simple Network Paging Protocol) – INACTIVE;
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 1,722 unique) used within the 176 versions. Most notably, 212[.]14[.]51[.]43 and 212[.]14[.]51[.]56 moved up into 2nd and 3rd place. Additionally, 194[.]87[.]234[.]190 jumped straight into the middle of the table following a recent push of use.
100 C2 servers were used in the mcconfs from this week, of which 85 (85%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below’s Y-axis is cut short to allow clearer viewing of other country counts). The new servers’ IP addresses are associated with ASN routed to: 59xRU, 8xUA, 7xGB, 7xUS, 3xNL, and 1xBG.
According to Shodan’s most recent data:
- 50 are running OpenSSH, 26 are running nginx, seven are running Exim, five are running Apache, three are running MySQL, three are running Postfix, two are running Dropbear SSH, and one is running Pure-FTP.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.
Article Link: https://escinsecurity.blogspot.com/2018/03/weekly-trickbot-analysis-end-of-wc-26.html