Cybersecurity researchers revealed an advanced malware strain known as ‘Pingback’ that effectively evades detection while executing arbitrary commands on compromised systems. This Windows-based malware employs sophisticated techniques to maintain a low profile and manipulate infected machines covertly, showcasing its capability to bypass conventional security measures.
Pingback utilizes Internet Control Message Protocol (ICMP) tunneling to facilitate clandestine communication between compromised devices and threat actors. According to an analysis released by Trustwave, the malware subliminally encodes attack commands within ICMP packets, undermining traditional detection mechanisms that typically monitor common traffic patterns and protocols.
This malware is particularly insidious as it gets loaded through a legitimate Windows service called Microsoft Distributed Transaction Coordinator (MSDTC), which handles database operations across multiple devices. It employs a technique known as DLL search order hijacking, where a malicious DLL, identified as “oci.dll,” is preloaded by a trustworthy application. This manipulation provides a route for the malware to execute its commands with increased credibility while avoiding immediate detection.
By masquerading as a necessary component of the Oracle ODBC interface, Pingback gains the potential to persist on an infected system, even if the MSDTC service is not configured to run at startup. Recent findings indicate that a sample analyzed in July 2020 installed this DLL into the Windows System directory, subsequently starting the MSDTC service to establish persistence, suggesting that an additional executable may be critical for its initial deployment.
Once operational, Pingback predominantly employs the ICMP protocol for its communications. ICMP is traditionally used for error messages and operational notifications within network configurations. Specifically, Pingback exploits Echo requests (ICMP type 8), utilizing specific message sequences to relay commands and acknowledge receipt. This method enables it to execute various malicious activities, such as running arbitrary shell commands and transferring files between the infected machine and the attacker’s server.
Investigative efforts are currently underway to uncover the initial access vector used by Pingback. While ICMP tunneling is not a recent tactic, the application of it in this malware serves as a practical illustration of how such methods can be employed to bypass established security controls.
The researchers emphasize that, although ICMP plays a vital role in network diagnostics and performance, it can be exploited by malicious actors to perform reconnaissance and establish a target’s network landscape. They recommend that businesses implement monitoring solutions to detect any covert communications occurring via ICMP, instead of outright disabling this protocol.
