In the fall of 2018, NTT Security added botnet infrastructure detection capabilities to its Managed Security Services (MSS) Threat Detection services. In the initial press release, there were limited details released on how our machine learning system leverages our access to the NTT global internet infrastructure. NTT own and operate one of the worlds largest tier-1 IP backbone having insight into 40% of the global internet traffic and is consistently ranked among the top five network providers in the world.

In a series of blog posts, we now aim to explain how NTT Security R&D and Threat Detection service teams in collaboration with NTT Security Global Threat Intelligence Center are using netflow data captures to analyze the botnet infrastructure and threat actors behind TrickBot.

Worldwide distribution of TrickBot victims identified using internet backbone data and mapped by geoip.

TrickBot was the first botnet family we began analyzing using our new internet backbone streaming analytics engine in mid-2018. Several research teams and malware researchers classified TrickBot as the top business threat in the end of 2018 as it had been noted to continually increase its activity and actively collaborating with other malware authors spreading various types of payload in its many campaigns. One of the campaigns involving the Ryuk Ransomware was estimated to have generated 3.7 Million USD in Bitcoin value to its authors.

Trickbot has been in development since 2016 and has historical ties to the trojan Dyreza, another banking trojan. TrickBot targets mostly large international banks via webinjects, however it also includes modules to steal credentials, emails, cryptocurrency and other sensitive information. Depending on the campaign and other variables, TrickBot will download the appropriate modules and configuration files from its C2 servers to reach its intended goal. 

Previous analysis and whitepapers related to TrickBot has mostly been focused on reverse engineering of the infection phase, dropper and payload files. Using artifacts uncovered in binaries and on infected computers previous research has profiled some of the Tactics, Techniques and Procedures (TTPs) used by the TrickBot Actors. In this blog post, we will explain how we are utilizing NTT´s unique insight into internet backbone data to map previously unknown C2 infrastructure. We’ll also share pitfalls and insights encountered along with research results gathered.

So far, we have analysed 3 trillion netflows, resulting in seven previously undetected Security Incidents being escalated as part of Threat Detection services.

Automated C2 server identificationThe NTT Internet backbone provides NetFlow output at a pace of roughly 200-250k flows per second, where custom tools are required to efficiently capture relevant communication paths. By seeding the flows with known TrickBot C2 nodes from previous security incidents identified through our Threat Detection service, we could gradually unfold the overall infrastructure using Threat Intelligence, OSINT, knowledge of the victims and actors.

Our initial goal was to map the core infrastructure to the point where we could predict the activity of the threat actors or, simply, Botmasters.

One of our early working theories was as below. An infected machine will connect to maximum one or a few known C2 servers, while someone administrating the C2 servers will connect to many, or all. If we can reliably identify the origin of the Botmaster by applying this working theory to the data made available by the NTT internet backbone, we can predict and identify C2 servers before they are put into production based on network activity.

To automatically identify victims, C2 and Botmaster traffic amongst the noise of the internet, we began implementing graph-based algorithms that could sort through the flow and map out our landscape. Some of these algorithms are shown below.

Network traffic from an infected TrickBot node to its C2 server is well documented and quite easy to distinguish from “normal” network traffic due to the use of specific ports. Depending on the type of traffic it will either connect to TCP447, TCP449 or TCP8082 mixed with traffic over normal HTTP/HTTPS ports. Due to TrickBot utilizing hacked wireless home routers as layer 1 C2 servers, the servers regularly go down and the infection needs to update towards a new server. This allows us to follow an infection and map out new infrastructure without downloading the malware or its configurations.

Early research - victim and C2 identification

With our algorithms set up, we began by adding our first seed of data with the known C2 server 24.119.69[.]70. Adding this to the NetFlow filter quickly gave us clear feedback that this was an active C2 server and identifying over 600 active infections.Apart from identifying infected machines communicating with the hacked router acting as C2 server, our filters also captured outbound regular user activity such as connections towards web-streaming sites and AD-networks.As expected, ordinary users behind these routers continued their day-to-day activities as if nothing has happened. Because of this tracking, the C2 nodes call-back nodes were to become more difficult than we imagined. And to make it even more difficult we noticed user-behaviour from behind some of the C2 servers that did not match up with what would be expected from a single or a few home-users, the amount of activity was far too large.

C2 servers acting as open proxies

At this point, we were convinced that the traffic was coming from users or computers behind the hacked home-routers. However, as the amount of traffic was deviating from what we expected, we looked further into the routers themselves to try and find an answer.

The C2 182.50.64[.]148 gave us the answer:

Using the port 53281 as filter to our NetFlow, it became obvious that inbound traffic towards the C2 could be placed into two categories, anonymous proxy and infected traffic.

During our investigation we were unable to verify why about 50% of the hacked MikroTik routers have proxy services set up in this way. As these routers are regularly scanned, exploited and re-configured by TOR-nodes due to their out-of-the-box vulnerabilities, we suspect that these specific configurations are part of another group’s activity or purpose. This theory is supported by the fact that only a subset of the C2 servers we have identified are configured as proxy servers.

However, it is also possible that the group behind the TrickBot infrastructure are adding these functionalities to their hacked routers as an attempt to avoid traffic monitoring and hide the traffic from the C2 server towards backend layer 2 C2 server amongst the proxy traffic.

Not only a MikroTik factory

The initial TrickBot infection comes readily equipped with a configuration file named mcconf.xml, this file contains a version number, campaign ID and the initial set of C2 servers that the infection will attempt to contact.

Following the initial infection and depending on what campaign the malware is part of, one or more configuration files will be downloaded. These are called dpost, sinj and dinj.

In a later blog post, we will focus on the C2 infrastructure behind each one of these configuration files. As noted in the previous chapter, public IoC information suggest that all or most C2 servers used by TrickBot are hacked home routers, however our research has concluded that only about 50% of the C2 servers are MikroTik routers.

Initial results

Our research into TrickBot and using graph algorithms to detect new C2 servers has initially been incredibly successful. During February alone, our botnet infrastructure mapping technology identified seven active infections in customer networks that existing detection capabilities had been unable to find.

We were able to continuously increase our time to detection for new C2 servers utilizing our NetFlow data and, when measured towards VirusTotal detection scores, in one case we were 168 hours (one week) earlier than any other vendor at detecting a new C2 node.

The graph below shows the detection time offset in hours between our NetFlow analysis and a VirusTotal score of 1 for Trickbot C2 nodes, i.e. at least one AV vendor has classified the C2 as malicious.

Next update

In our next update, we will show how the Botmasters configure their hacked routers, detail the activity of layer 2 C2 servers behind the MikroTik routers and what the infrastructure linked in the different configuration files looks like.


Acknowledgments

This content of this blog post is the result of internal research performed by NTT Security R&D and Threat Detection services teams in collaboration with NTT Security Global Threat Intelligence Center.

We wish to thank our colleagues within the NTT family for all the support and feedback we have received, we also wish to thank all independent researchers and vendor-teams who through Twitter, blogs and whitepapers continuously enable us to learn and correlate our findings.