New Windows Pingback Malware Uses ICMP for Data Exfiltration

New Windows Pingback Malware Uses ICMP for Data Exfiltration

A novel Windows malware sample uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities.

Trustwave researchers say “Pingback” targets Microsoft Windows 64-bit systems and uses DLL Hijacking for persistence.

Trustwave’s Lloyd Macrohon and Rodel Mendrez have published their findings on a novel Windows malware yesterday. They noted the malware’s use of ICMP communication protocol, also used by the ping command and the Windows traceroute utility.

The malware’s main file is just 66-Kb in size and is called oci.dll. It is typically dropped inside Windows “System” folder by another malicious process.

The researchers say this DLL is not loaded by the Windows rundll32.exe but was run using a technique called DLL hijacking.

“We knew that the file was suspicious during our initial triaging, but we could not figure how it was loaded into the system because the DLL was not loaded through traditional rundll32.exe,” state Macrohon and Mendrez.

In a DLL Hijacking technique, attackers place a malicious DLL file in one of the folders trusted by the Windows operating system, so that the system application picks it up and runs. In Pingback’s case, it was the Microsoft Distributed Transaction Control (msdtc) service that loaded the malicious oci.dll.

Researchers suspect that attackers used another malware sample, updata.exe for both dropping the malicious oci.dll and configuring msdtc to run on every startup.

Once launched by msdtc, the oci.dll malware uses ICMP for receiving commands from the attackers’ C2 server.

Trustwave researchers note that “Pingback” does not use TCP nor UDP for communication and as such, diagnostic tools like netstat cannot detect oci.dll.

Attackers used ICMP packets that contain a “data” field for transmitting the data back and forth between two systems.

“The ICMP data section is where an attacker can piggyback an arbitrary data to be sent to a remote host. The remote host replies in the same manner, by [piggybacking] an answer into another ICMP packet and sending it back,” explained Macrohon and Mendrez.

Trustwave’s full technical write-up is available in this blog post

The Indicators of Compromise (IOCs) for  the Pingback malware are  as follows:

File: oci.dll 

SHA256: E50943D9F361830502DCFDB00971CBEE76877AA73665245427D817047523667F

SHA1: 0190495D0C3BE6C0EDBAB0D4DBD5A7E122EFBB3F

MD5: 264C2EDE235DC7232D673D4748437969

 

Network:

ICMP Type=8

Sequence Number: 1234|1235|1236

Data size: 788 bytes

 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: