Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

New Pingback Malware Using ICMP Tunneling to Evade C&C Detection

May 4, 2021

Researchers on Tuesday disclosed a novel malware that makes use of a wide range of tips to remain beneath the radar and evade detection, whereas stealthily able to executing arbitrary instructions on contaminated programs.

Referred to as ‘Pingback,’ the Home windows malware leverages Web Management Message Protocol (ICMP) tunneling for covert bot communications, permitting the adversary to make the most of ICMP packets to piggyback assault code, in line with an analysis printed immediately by Trustwave.

password auditor

Pingback (“oci.dll“) achieves this by getting loaded by a authentic service known as MSDTC (Microsoft Distributed Transaction Coordinator) — a part answerable for dealing with database operations which are distributed over a number of machines — by benefiting from a technique known as DLL search order hijacking, which entails utilizing a real software to preload a malicious DLL file.

Naming the malware as one of many plugins required for supporting Oracle ODBC interface in MSDTC is vital to the assault, the researchers famous. Whereas MSDTC is not configured to run robotically on startup, a VirusTotal sample submitted in July 2020 was discovered to put in the DLL file into the Home windows System listing and begin the MSDTC service to realize persistence, elevating the likelihood {that a} separate executable is essential to putting in the malware.


Upon profitable execution, Pingback resorts to utilizing the ICMP protocol for its essential communication. ICMP is a community layer protocol primarily used for sending error messages and operational info, say, a failure alert when one other host turns into unreachable.

Particularly, Pingback takes benefit of an Echo request (ICMP message kind 8), with the message sequence numbers 1234, 1235, and 1236 denoting the kind of info contained within the packet — 1234 being a command or knowledge, and 1235 and 1236 being the acknowledgment for receipt of knowledge on the opposite finish. Among the instructions supported by the malware embrace the aptitude to run arbitrary shell instructions, obtain and add recordsdata from and to the attacker’s host, and execute malicious instructions on the contaminated machine.

An investigation into the malware’s preliminary intrusion route is ongoing.

“ICMP tunneling will not be new, however this explicit pattern piqued our curiosity as a real-world instance of malware utilizing this system to evade detection,” the researchers stated. “ICMP is helpful for diagnostics and efficiency of IP connections, [but] it may also be misused by malicious actors to scan and map a goal’s community atmosphere. Whereas we aren’t suggesting that ICMP needs to be disabled, we do recommend putting in monitoring to assist detect such covert communications over ICMP.”

Posted in SecurityTags:
Write a comment