A novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected system called ‘Pingback,’ the Windows malware leverages ICMP Tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code.
Pingback (“oci.dll”) achieves this by getting loaded through a legitimate service called MSDTC a component responsible for handling database operations that are distributed over multiple machines by taking advantage of a method called DLL search order hijacking, which involves using a genuine application to preload a malicious DLL file.
Pingback once executed resorts to using the ICMP protocol for its main communication. ICMP is a network layer protocol mainly used for sending error messages and operational information, say, a failure alert when another host becomes unreachable.
Pingback takes advantage of an Echo request with the message sequence numbers 1234, 1235, and 1236 denoting the type of information contained in the packet 1234 being a command or data, and 1235 and 1236 being the acknowledgment for receipt of data on the other end.
ICMP is useful for diagnostics and performance of IP connections, can also be misused by malicious actors to scan and map a target’s network environment. Monitoring rather than disabling it a good idea..