A new Windows malware has been discovered that uses Internet Control Message Protocol (ICMP) for its C2 activities. The malware, named Pingback, targets Microsoft Windows 64-bit systems. In addition, it uses the DLL hijacking technique to establish persistence on the infected system.
What has happened?
A principal security researcher and a senior architect from Trustwave have released their findings on Pingback. The malware is discovered to be using the ICMP protocol for communication.
First, the researchers discovered a malicious file identified as oci[.]dll. This 66KB DLL file is dropped within the Windows System folder by another malicious process or attack vector.
The initial entry vector of oci[.]dll is not uncovered yet. However, another malware sample, updata[.]exe drops the malicious oci[.]dll in the System folder and configures Microsoft Distributed Transaction Control (msdtc) to run on every startup.
This DLL relied on DLL hijacking instead of being loaded by the Windows application rundll32[.]exe. Using this method, attackers can exploit trusted Windows processes to execute arbitrary malicious code.
In addition, the msdtc service is utilized to load the malicious oci[.]dll. On launch, the msdtc service searches for 3 DLLs to load: xa80[.]dll, oci[.]dll, and SqlLib80[.]dll.
The use of ICMP tunneling
The malware uses ICMP tunneling to evade detection because ICMP does not use ports, TCP, or UDP. Due to this, the malicious DLL file may not be picked up by diagnostic tools.
Pingback uses the echo (ping) request or type 8 ICMP message. It uses a sniffer for every IP address on the host and spawns a thread to sniff packets on every individual IP address.
To separate between its own packets and other packets, the sniffer overlooks everything that’s not an ICMP echo packet and does not have the ICMP sequence number 1236, 1235, or 1234.
Conclusion
This particular malware has displayed the way ICMP tunneling can be used to evade detection. While researchers are not suggesting disabling or stopping the use of ICMP, they do suggest a monitoring mechanism to help identify such covert communications over ICMP.