skip to Main Content

Cybercrime, Pingback is a new malware exploiting ICMP tunnelling for communications

Trustwave: Pingback is a new malware exploiting ICMP tunnelling for communications. It uses ICMP for receiving commands from its C2 server, and maintains persistency thanks DLL hijacking

Pingback is a new malware, which exploits ICMP tunnelling for communications. It has been discovered by Trustwave cybersecurity experts. First of all, the malicious code achieves persistence through DLL hijacking. It abuses the Microsoft Distributed Transaction Control (msdtc) service to load the malicious oci.dll. This one, once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server. It, in fact, has the effect of being hidden from the user as ports cannot be listed by netstat. It starts a sniffer for every IP address on the host, spawning a thread to sniff packets on each individual IP address. To distinguish between its own ones and others, it ignores anything else that’s not an ICMP echo packet and doesn’t contain the ICMP sequence number 1234, 1235, 1236. It also ignores packets not destined for the specified IP address. However, the initial entry vector is still being investigated.

Back To Top