Figure 12: TrickBot v24 through v32 C&C servers by country
JSC Mediasoft had the most used networks for hosting TrickBot C&C servers, followed by OVH; the 9 US C&C servers are spread out among 8 separate networks. When looking at consistent C&C IP addresses through configurations, some of the same C&C servers were used throughout versions 24 to 32, but in many cases the IP switched over time. At this time we are unable to see any trends in whether and when TrickBot is shifting its C&C IP addresses.
Figure 13: Top TrickBot C&C hosting networks by ASN owner, geo, and count
Conclusion
The analyzed configurations initially saw TrickBot shift away from the Nordic countries and into France, Spain, the US, and the UK; it appeared for a time that the targeting of this malware was becoming more focused on fewer countries and more refined. However, by v32 there was a return to a broad range of targets, suggesting that the threat actors behind TrickBot reached a phase of their development where it made sense to put all the targets together, all at once.
The unusual targets that stood out in our analysis were the rise in US-based firms—especially credit card companies. Before, we had only seen banks and wealth management providers targeted. In addition to credit card companies, we have seen some development of net new URLs; this indicates some level of effort being placed on refining the target set, but there is still an overwhelming reliance on the target set found in the Dyre malware, circa late 2015.
This partly explains how TrickBot is able to go through so many iterations so quickly. It’s time consuming and difficult to research all the appropriate URLs for all the financial services providers in a specific country, but almost all of that work has been done before. TrickBot’s authors can simply swap in the set of URLs they want from Dyre, make some tweaks based on updates to banks’ login sequences, and spend the rest of their time focusing on making the code itself more effective. We anticipate that TrickBot will continue to focus on the same firms targeted by Dyre through 2015, and will continue to make small modifications to the URLs to improve the effectiveness of their targeting.
Our initial look at how Trickbot behaved through August shows it is evolving even faster, but our recommendations for how to mitigate this malware remain largely the same. TrickBot spreads at least in part through spam and phishing campaigns, so security professionals within financial services firms should continue to have discussions with their legal teams to come up with appropriate language to encourage customers to exercise better social engineering and security awareness. When those pesky users still click on links or download files they shouldn’t, advanced web protection services can help firms detect and mitigate banking trojans so that infected users’ accounts aren’t compromised, even when their devices are.
Appendix A: TrickBot Config Screenshots
Sampled MD5:
bd4f13d1295b09f92571b89ef073a83c
03a3799d1d53cddf58bacbcb1cce6922
2e30546e646109f11c315e7c329acbd2
cb59d12ba5014164266fdaebc3ed11be
675119986b6df9441fbed1e6a8ae9da5