Weekly TrickBot Analysis - End of w/c 26-Feb-2018 to A-1000137 and B-1000068

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 26th February 2018. This analysis covers 1,722 unique C2 IP addresses used in 332 mcconfs across 176 versions, with highest versions of A-1000137 and B-1000068.

The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)

Nine new versions were discovered in the week commencing 26th February 2018 (A-1000134, A-1000135, A-1000137, B-1000062, B-1000063, B-1000064, B-1000065, B-1000067, and B-1000068), eleven the week before, and thirteen the week before that. Three of the discovered versions extend the original iteration of version numbers (which I refer to as iteration A), taking this to 1000137. Six shared versions extend the secondary botnet which is reusing earlier version numbers, taking them to 1000068. (I track these as part of a new, distinct iteration, iteration B, of the version numbers.) The graph clearly shows that the secondary botnet iteration B versions are being published at a far faster rate than the original iteration As.

In addition to the above, an unusual version config was shared with a version number of 4321123. While this is the same length as previously used versions, it is clearly dissociated from either iteration A or B. The actual config for this version had a gtag of ‘tm26’ and contained a command and control server list which was a duplicate of that used in B-1000063. It is unclear where this single mcconf fits into the existing campaigns at this time, and so it is not used in further analysis.

TrickBot Version Discovery Dates

The following graph shows the number of server entries using ports:
  • 443 (HTTPS);
  • 444 (Simple Network Paging Protocol) – INACTIVE;
  • 445 (IBM AS Server Mapper) – INACTIVE;
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB) – INACTIVE.
This week’s iteration A configs’ command and control (C2) server lists were similar length to last week’s, although the proportion of :449 servers (compared to :443) decreased again. The iteration B configs reduced in length after previous trending towards 20. Additionally, the brief use of port 444 (Simple Network Paging Protocol) halted with that single C2 server removed.

TrickBot SRV Port Usage

The following table shows the top 25 servers (of  1,722 unique) used within the 176 versions. Most notably, 212[.]14[.]51[.]43 and 212[.]14[.]51[.]56 moved up into 2nd and 3rd place. Additionally, 194[.]87[.]234[.]190 jumped straight into the middle of the table following a recent push of use.

TrickBot Top 25 SRV

The following table shows the breakdown of detected TrickBot campaign ‘gtag’ (group tags) values used in the 332 mcconfs analysed. 


TrickBot gtag Breakdown

100 C2 servers were used in the mcconfs from this week, of which 85 (85%) were new. The BGP prefix registrations for the C2 server IP addresses continue to be heavily biased to ASN routed through RU (and so the graph below’s Y-axis is cut short to allow clearer viewing of other country counts). The new servers’ IP addresses are associated with ASN routed to: 59xRU, 8xUA, 7xGB, 7xUS, 3xNL, and 1xBG.

TrickBot SRV IP Address BGP Prefix Country Codes

The following map shows the geographical location of 72 (those with location data) of 75 (scanned by Shodan) of the 100 C2 servers used in the analysed configs.

According to Shodan’s most recent data:
  • 50 are running OpenSSH, 26 are running nginx, seven are running Exim, five are running Apache, three are running MySQL, three are running Postfix, two are running Dropbear SSH, and one is running Pure-FTP.
TrickBot C2 Server Locations For New Configs

The following table shows the BGP allocations of C2 servers’ IP addresses to country by TrickBot version.

TrickBot SRV IP Address BGP Prefix Country Codes By Version

Finally, the following table shows the top 25 BGP prefixes used by TrickBot for C2 servers.

TrickBot Top 25 BGP Prefixes

Full size versions of the images included in this post are available here.

Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer,@voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters, @coldshell, @0x7fff9 and @MalwareSecrets for sharing the mcconfs.

Article Link: https://escinsecurity.blogspot.com/2018/03/weekly-trickbot-analysis-end-of-wc-26.html