Pingback Malware: The Usage Of ICMP Tunneling Evading C&C Detection

On the 4th of May 2021, a novel malware used several tricks to avoid detection while performing commands on its own. The Windows malware, “Pingback”, forces “Internet Control Message Protocol (ICMP)” to tunnel for covert bot communications. According to an analysis done by Trustwave, it says the adversaries are permitted to utilize ICMP packets and convert them into piggyback attack code.

Loading a malicious file

oci.dll or pingback gets loaded using a legitimate service known as Microsoft Distributed Transaction Coordinator(MSDTC). It is a tool responsible for holding database operations that have got disturbed using several machines. It takes advantage of a well-known procedure named DLL search order hijacking. The method uses a genuine application in preloading a DLL malicious file.

Supporting as an Oracle ODBC interface

The malware was named an Oracle ODBC interface is the key process to attack any system in MSDTC. Even though it is not configured to run on startups automatically, in July, it was found that a VirusTotal sample was submitted for the installation of the DLL file in the “Windows System directory”. It allows the service to raise the possibility of a separate executable to install malware to attain persistence.

Using ICMP protocol

After successfully executing, the ICMP protocol is used by pingback to communicate. It is a network layer protocol mainly used for sending operational details and error messages when one host is unreachable. It also takes advantage of an Echo request by maintaining the message sequence number “1234, 1235, and 1235”. It denotes the type of information contained in the packet, whereas 1234 is a command and the other two are receipts of data.

Investing is in the process

An investigation is still in the process, and this particular malware aroused their interest. ICMP is known for the performance and diagnostics of IP connections. But it is used as a malicious activity by many cybercriminals. It is not suggested to disable ICMP. However, it can be monitored to detect covert communications.

Get a VPN

One of the effective ways to prevent hackers from accessing your confidential details is creating a barrier around yourself. A VPN is the right product to get considering the present online crime rates. Privacyenbescherming is an excellent VPN brand offering the service at a reasonable price. Check out the schemes and get a connection at the earliest before you suffer from any security issues.