A novel Windows malware sample uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities.
Trustwave researchers say “Pingback” targets Microsoft Windows 64-bit systems and uses DLL Hijacking for persistence.
Trustwave’s Lloyd Macrohon and Rodel Mendrez have published their findings on a novel Windows malware yesterday. They noted the malware’s use of ICMP communication protocol, also used by the ping command and the Windows traceroute utility.
The malware’s main file is just 66-Kb in size and is called oci.dll. It is typically dropped inside Windows “System” folder by another malicious process.
The researchers say this DLL is not loaded by the Windows rundll32.exe but was run using a technique called DLL hijacking.
“We knew that the file was suspicious during our initial triaging, but we could not figure how it was loaded into the system because the DLL was not loaded through traditional rundll32.exe,” state Macrohon and Mendrez.
In a DLL Hijacking technique, attackers place a malicious DLL file in one of the folders trusted by the Windows operating system, so that the system application picks it up and runs. In Pingback’s case, it was the Microsoft Distributed Transaction Control (msdtc) service that loaded the malicious oci.dll.
Researchers suspect that attackers used another malware sample, updata.exe for both dropping the malicious oci.dll and configuring msdtc to run on every startup.
Once launched by msdtc, the oci.dll malware uses ICMP for receiving commands from the attackers’ C2 server.
Trustwave researchers note that “Pingback” does not use TCP nor UDP for communication and as such, diagnostic tools like netstat cannot detect oci.dll.
Attackers used ICMP packets that contain a “data” field for transmitting the data back and forth between two systems.
“The ICMP data section is where an attacker can piggyback an arbitrary data to be sent to a remote host. The remote host replies in the same manner, by [piggybacking] an answer into another ICMP packet and sending it back,” explained Macrohon and Mendrez.
Trustwave’s full technical write-up is available in this blog post.
The Indicators of Compromise (IOCs) for the Pingback malware are as follows:
Sequence Number: 1234|1235|1236
Data size: 788 bytes