by Bhabesh Raj Rai, Associate Security Analytics Engineer

On May 4, 2021, Trustwave researchers released details for a malware dubbed Pingback that uses an Internet Control Message Protocol (ICMP) tunnel for its backdoor communications. Pingback has several useful abilities in its arsenal like executing commands and uploading and downloading files, giving the threat actors flexibility.

Pingback achieves persistence via DLL hijacking (T1574.001) through the legitimate system process msdtc (Microsoft Distributed Transaction Coordinator). Threat actors can hijack and exploit Windows’ search order, which loads DLLs, to execute their own malicious DLLs. After obtaining system privileges, the threat actor drops a malicious oci.dll in the system directory, the msdtc service loads indirectly through MSDTCTM.DLL.
By default, the msdtc service does not run at startup, so the threat actor uses the built-in sc (service control) command (T1543.003) to configure the msdtc service to automatically run at startup for persistence. Threat actors achieve persistence via a separate binary (updata.exe), which they also use to drop the malicious DLL.

Pingback specifically uses the echo request (type 8) ICMP message. It sniffs packets in every IP address available on the host. To identify its own packets from the rest, the sniffer ignores anything else that’s not an ICMP echo packet and does not contain the ICMP sequence number 1234, 1235 or 1236. Under the hood, Pingback uses a combination of ICMP and TCP for better performance and reliability.

We will focus on how security administrators can use LogPoint to easily detect various threat actors’ tactics, techniques and procedures (TTPs) to deploy and use the Pingback backdoor.

Pingback fast facts

  • Discovered in May 2021
  • Uses unusual ICMP for backdoor communications to evade detection
  • Exploits real, trusted Windows processes to execute malicious commands
  • Investigation on initial intrusion method still ongoing

Detecting Pingback using LogPoint

Although the initial infection vector is currently unknown, the threat actor has used a malicious process updata.exe, which handles the main infection stage. We can detect easily the malicious process via Sysmon’s process creation events.

norm_id=WindowsSysmon label=”Process” label=Create
(image=”*\updata.exe” OR hash_sha1=”d76a7c6f6685eb5b5cd6d1559dda494dd1276ee1″)

Threat hunters can run a more generic search to include sources like antivirus to look out for the malicious process.

OR hash_sha1="d76a7c6f6685eb5b5cd6d1559dda494dd1276ee1"
OR hash_sha256="4ff77ea841544569e9da8aa3990724d1473731e684a162014ad1ad54e8c8cef2")

Pingback drops the malicious Oci.dll file in the system directory, which we can observe via Sysmon’s file creation events.

norm_id=WindowsSysmon event_id=11
path="C:\Windows" file="Oci.dll"

Similarly, we can run an enterprise-wide indicator of compromise (IoC) search for hashes of the malicious DLL.

OR hash_sha1="0190495D0C3BE6C0EDBAB0D4DBD5A7E122EFBB3F"
OR hash_sha256="E50943D9F361830502DCFDB00971CBEE76877AA73665245427D817047523667F")

The msdtc process loads the malicious DLL, which we can observe in Sysmon’s image load events.

norm_id=WindowsSysmon label=Image label=Load
source_image="*\msdtc.exe" image="C:\Windows\Oci.dll"

Finally, we can hunt for the final act in the actor’s persistence installation phase by searching for service modification of msdtc.

norm_id=WindowsSysmon label="Process" label=Create
image="*\sc.exe" command="* config msdtc * start*auto*"

We can also look for any successful DLL hijacking of msdtc by looking at suspicious child processes of msdtc process.

norm_id=WindowsSysmon label="Process" label=Create
parent_image="*\msdtc.exe" image IN ["*\cmd.exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe"]

Sigma rules are also available for detecting Pingback malware but first and foremost, for these detections to work security administrators must have configured appropriate rules in Sysmon for the logs to be generated. Fortunately, Sigma tool can also generate sysmon rules from sigma rules which may help security administrators to ensure that their sysmon is configured correctly.

Pingback’s uncommon persistence technique requires defense-in-depth

Though not a novel technique, malware doesn’t commonly use ICMP for backdoor communications. The unusual method highlights Pingback’s persistence in using uncommon techniques to slip past typical security radars.

Not to forget there are myriads of built-in Windows binaries susceptible to DLL hijacking, offering a swath of options for adversaries. A large number of opportunities for hackers makes the job of security administrators difficult as monitoring for all possible DLL hijacking attempts is a daunting task. Thus, enterprise defenders should enforce a defense-in-depth technique and use overlapping controls to minimize single points of failure, as a viable option to detect threats before the threat actors achieve their objectives.