Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 30th October 2017. This analysis covers 724 unique C2 IP addresses used in 154 mcconfs across 64 versions, with a latest version of 1000082.
The rate of discovery was slightly slower this week.
- 443 (HTTPS);
- 445 (IBM AS Server Mapper);
- 449 (Cray Network Semaphore Server); and
- 451 (SMB).
The BGP prefix registrations for the C2 server IP address are heavily biased to RU. With US, PL, LT and FR next (but 6+ times less prevalent).
Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @spalomaresg, @virsoz, and @moutonplacidefor sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2017/11/weekly-trickbot-analysis-end-of-wc-30.html