New Pingback Malware Using ICMP Tunneling to Evade C&C Detection
May 04, 2021
Researchers on Tuesday disclosed a novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected systems. Called 'Pingback,' the Windows malware leverages Internet Control Message Protocol ( ICMP ) tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code, according to an analysis published today by Trustwave. Pingback (" oci.dll ") achieves this by getting loaded through a legitimate service called MSDTC (Microsoft Distributed Transaction Coordinator) — a component responsible for handling database operations that are distributed over multiple machines — by taking advantage of a method called DLL search order hijacking , which involves using a genuine application to preload a malicious DLL file. Naming the malware as one of the plugins required for supporting Oracle ODBC interface in MSDTC is key to th...
