Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 27th November 2017. This analysis covers 946 unique C2 IP addresses used in 211 mcconfs across 85 versions, with a latest version of 1000096.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Five new versions were discovered in the last week (1000092, 1000093, 1000094, 1000095, and 1000096), one the week before, and four the week before that. No mcconfs have been shared for 1000091 so far – it may be that this version was either skipped or, more likely, only distributed to a small subset of the TrickBot installations.
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 946 unique) used within the 85 versions. There was a single change near the bottom of the table compared to last week. I’ve updated the table to now include the first and most recent versions in which each server was used.
Thanks to @mpvillafranca94, @JR0driguezB, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, @moutonplacide, @JasonMilletary, @Ring0x0, @precisionsec, and @Techhelplistcomfor sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2017/12/weekly-trickbot-analysis-end-of-wc-27.html