Pingback malware: How it works and how to prevent it

A new malware called pingback that uses ICMP for communicating with its C2 server was discovered by researchers recently. In this article, we will understand how this malware can bypass its detection taking advantage of the ICMP, learn about its modus operandi, and also provide some measures to detect of this nature.

As mentioned by the team, the malicious file — a DLL — called oci.dll is dropped into the Windows system folder via other malicious vectors explored early by criminals or even by another malicious process running on the target machine. In this case, the DLL is not loaded into the memory using the rundll32.exe utility but using DLL sideloading / DLL hijacking technique. This technique is very popular in the malware landscape, and several types of malware, such as Javali trojan, are using it to perform its operations.

Figure 1: Details of the malicious oci.dll file (pingback malware).

Interestingly, the origin of the malware’s name is associated with the path present in the PDB “pingbackservice0509.pdb”. In detail, this DLL mimics a legitimate DLL that is loaded into the memory, taking advantage of binary files present on this list of over 300 Windows executables that are

Read More: