A threat group is leveraging a rarely-used way to exploit legitimate Windows services, evade detection and install malware, according to researchers at Trustwave.
Dubbed Pingback, researchers report that the malware achieves persistence through DLL hijacking, then establishes a covert connection using ICMP (Internet Control Message Protocol) tunnelling to install a backdoor.
Neither tactic is new, but Trustwave warns infosec pros to monitor ICPM to help detect covert communications.
“ICMP is useful for diagnostics and performance of IP connections in the real world,” the report noted, so it shouldn’t be disabled. But communications using it have to be watched.
There are many tools available for organizations to monitor their network activity, a Trustwave spokesperson told ITWorldCanada.
“It could be as simple as setting up a perimeter firewall to log and alert on ICMP activity or utilizing your network router’s built-in capabilities to track traffic like with NetFlow,” they said.
Network intrusion detection software can also be used to monitor for specific malicious activity.
The attack starts with DLL (Dynamic Link Library) hijacking. It involves using a legitimate application to preload a malicious DLL file. Attackers commonly abuse the Windows DLL Search Order and take advantage of this to load a malicious DLL file instead of the legitimate one, the report notes.
Usually, DLL files load through a Windows service called rundll32.exe. In the case of Pingback, a malicious DLL file called oci.dll (Pingback) was somehow indirectly loaded through a legitimate service called msdtc (Microsoft Distributed Transaction Coordinator). This service coordinates transactions that span multiple machines, such as databases, message queues, and file systems.
The file oci.dll is the name of a legitimate Oracle DLL file. The researchers theorize an attacker with system privileges could have dropped this malicious DLL and saved it using a Windows DLL that loads a library to support Oracle databases.
The msdtc service, by default, does not run during start-up, the researchers noted. To remain persistent, the service needs to be configured to start automatically, so the attacker would need system privileges to reconfigure the msdtc startup type. That can be done manually using SC command, via malicious scripts, or through a malware installer.
“Our theory is that a separate executable installed this malware,” the researchers write.
After a bit of hunting, they found a sample in VirusTotal with similar indicators of compromise that installs oci.dll into the Windows System directory and then sets msdtc service to start automatically.
The Pingback malware then uses the ICMP protocol for its main communication, hidden from the user as ports cannot be listed by netstat. This is a command-line network utility that displays network connections for Transmission Control Protocol (TCP), routing tables, and other functions.
Pingback supports several commands: creating a shell, opening a socket on a specified port an attacker can use for uploading/downloading data, and executing a command on the infected host.
The malware didn’t get into the network through ICMP, the researchers stress. Instead, it exploits ICMP for covert bot communications. “The initial entry vector is still being investigated.”