Pingback Malware

The details of a peculiar Windows threat named Pingback malware have been outlined in a blog post released by Trustwave. This particular threat caught the attention of the researchers due to its reliance on ICMP (Internet Control Message Protocol) for communication with its Command-and-Control (C2, C&C) servers. In addition, the threat takes advantage of a legitimate Windows service in a DLL Hijacking technique.

The Pingback malware consists of a rather small in size, just 66KB, DLL file named 'oci.dll' that is typically dropped inside the 'System' folder of the Windows OS. Instead of being loaded by the usual rundll32.exe, the corrupted file uses DLL hijacking to force another legitimate Windows process named msdtc (Microsoft Distributed Transaction Control) to execute 'oci.dll.'

Initial Compromise Vector

So far, the initial vector used to deliver Pingback has not been established with 100% certainty. Certain evidence, however, suggests that another malware sample named 'updata.exe' might be involved. After all, analysis of 'updata.exe' has revealed that it drops the 'oci.dll' file while also executing a series of commands that modify the behavior of msdtc:

sc stop msdtc
sc config msdtc obj= Localsystem start= auto
sc start msdtc

Communication through ICMP

After establishing itself on the compromised system, the Pingback malware allows the threat actor to launch arbitrary commands. Before that, however, the threat must establish communication with its C2 servers. The creators of Pingback have decided to implement a rather novel approach by relying on ICMP to carry the back-and-forth traffic between the harmful tools and their servers. It allows the threat to effectively remain hidden from the user as ICMP neither requires ports nor relies on TCP or UDP. In practice, the threat is undetectable by certain diagnostics tools.

Pingback looks at every ICMP packet received by the infected system and selects the ones that have sequence numbers of 1234, 1235, and 1236. While the 1235 and 1236 packets serve as a confirmation that a request has been received on either end, the 1234 packet carries the actual unsafe commands of the threat actor. The data from the C2 can contain commands such as shell, download, exec, upload and more.

The Trustweave blog post provides certain Indicators of Compromise (IoC) associated with the Pingback malware:

File: oci.dll
SHA256: E50943D9F361830502DCFDB00971CBEE76877AA73665245427D817047523667F
SHA1: 0190495D0C3BE6C0EDBAB0D4DBD5A7E122EFBB3F
MD5: 264C2EDE235DC7232D673D4748437969

Network:
ICMP Type=8
Sequence Number: 1234|1235|1236
Data size: 788 bytes