Microsoft Windows 64-bit systems are being targeted by a new Windows malware. Read on to know more about it…
According to an analysis published by Trustwave, a new Windows malware has been discovered that performs C2 activities using the Internet Control Message Protocol (ICMP). Pingback is a malware that targets Microsoft Windows 64-bit systems. Furthermore, it employs the DLL hijacking strategy to maintain persistence on the infected system.
Observations
Trustwave’s results on Pingback were published by a principal security researcher and a senior architect. The malware has been discovered to communicate using the ICMP protocol.
The researchers first discovered a malicious file called oci[.]dll. Another malicious process or attack vector drops this 66KB DLL file into the Windows System folder.
oci[.]dll’s initial entry vector has yet to be identified. Updata[.]exe, on the other hand, places the malicious oci[.]dll in the System folder and configures MicroSoft Distributed Transaction Control (MSDTC) to execute at every startup.
In addition, the malicious oci[.]dll is loaded using the msdtc service. The MSDTC service looks for three DLLs to load when it starts up: xa80[.]dll, oci[.]dll, and SqlLib80[.]dll.
According to the researchers, identifying the malware as one of the plugins needed for supporting Oracle ODBC interface in MSDTC is crucial to the attack. Although MSDTC isn’t set to run automatically on startup, a VirusTotal sample submitted in July 2020 was discovered to install the DLL file into the Windows System directory and start the MSDTC service to achieve persistence, increasing the likelihood that the malware needs a separate executable to install.
The malware can run arbitrary shell commands, download and upload files from and to the attacker’s host, and run malicious commands on the infected computer, to name a few capabilities. The malware’s initial intrusion route is still being investigated.
ICMP Tunneling
Since ICMP does not use ports, TCP, or UDP, the malware uses ICMP tunneling to avoid detection. As a result, diagnostic tools can fail to detect the malicious DLL file. The echo (ping) request or form 8 ICMP message is used in pingback. It uses a sniffer for each IP address on the host and starts a thread to sniff packets for each one.
The sniffer ignores anything that isn’t an ICMP echo packet and doesn’t have the ICMP sequence numbers 1236, 1235, or 1234 to distinguish itself from other packets.
The researchers said “ICMP tunneling is not new, but this particular sample piqued our interest as a real-world example of malware using this technique to evade detection,”
“ICMP is useful for diagnostics and performance of IP connections, [but] it can also be misused by malicious actors to scan and map a target’s network environment. While we are not suggesting that ICMP should be disabled, we do suggest putting in place monitoring to help detect such covert communications over ICMP.”
Concluding Words
This malware has shown how ICMP tunneling can be used to circumvent detection. Although the researchers do not recommend that ICMP be disabled or stopped, they do recommend a surveillance system to help detect such clandestine ICMP communications.