Skip to main content

Pingback Backdoor

Pingback is a backdoor, with command and control (C2) capabilities, which targets Windows 64-bit systems through DLL hijacking.

Threat ID:
CC-3848
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Published:
7 May 2021 10:32 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Pingback is a backdoor, with command and control (C2) capabilities, which targets Windows 64-bit systems through DLL hijacking.

Affected platforms

The following platforms are known to be affected:

Versions: 64-bit Windows

Microsoft Windows

Threat details

Introduction

Pingback is a recently identified backdoor which affects 64-bit Windows systems. It is delivered as a 64-bit Dynamic Link Library (DLL) and achieves persistence on a host through the technique of DLL hijacking (T1574.001). Pingback carries out C2 operations via Internet Control Message Protocol (ICMP).

Delivery

A malicious DLL, oci.dll, is loaded using DLL hijacking, a technique which allows attackers to exploit trusted Windows processes to run arbitrary malicious code. This is achieved by placing a malicious DLL file in a folder trusted by the Windows operating system, resulting in a legitimate system application running the malicious DLL file.

Pingback uses this technique to load the malicious oci.dll via the Microsoft Distributed Transaction Control (msdtc) service. The msdtc service will search for 3 DLLs, which by default do not exist on the Windows System directory, one of which is an Oracle library called oci.dll. The malicious DLL is dropped into the Windows System directory and renamed as oci.dll, which results in it being loaded by the msdtc service.

The method used to drop the malicious DLL into the Windows System directory is not fully known, but there are indications that other unidentified malware is used to drop the malicious oci.dll and to configure msdtc to run on start-up.

Activities

Pingback communicates with a C2 server, using ICMP to evade diagnostic tools which rely on port detection. ICMP is normally used for network pings and does not communicate using network ports. The ICMP packet’s data field is used to transfer arbitrary data, enabling the C2 server to send commands to exploited hosts, which use the same method to respond. To achieve this, Pingback listens for inbound ICMP packets and selectively parses packets with sequence numbers: 1234, 1235 and 1236. Packets with the sequence number 1234 contain payloads or commands, enabling the C2 server to download and upload of files, and execute other arbitrary commands on the remote host. Packets 1235 and 1236 are used only for ICMP communication, to acknowledge that requests have been received.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

MITRE ATT&CK techniques

Persistence, privilege escalation, and defence evasion

Host indicators

Filenames

  • oci.dll

PDB paths

  • c:\Users\XL\Documents\Visual Studio 2008\Projects\PingBackService0509\x64\Release\PingBackService0509.pdb

SHA256 hashes

  • e50943d9f361830502dcfdb00971cbee76877aa73665245427d817047523667f

Yara rule

rule PingBack
{
    meta:
        description = "This rule detects PingBack malware"
        author = "Trustwave SpiderLabs"
        date = "May 4th, 2021"
    
    strings:
        $string1 = "Sniffer ok!" ascii
        $string2 = "lock2" ascii
        $string3 = "recvfrom failed" ascii
        $string4 = "rexec" ascii
        $string5 = "exep" ascii
        $string6= "download" ascii
        $string7 = "download2" ascii
        $string8 = "download3" ascii
        $string9 = "upload" ascii
        $string10 = "upload2" ascii
        $string11 = "upload3" ascii
        $string12 = "cmd.exe" ascii
        $string13 = "PingBackService" ascii

    condition:
        all of them

}

Yara rule provided courtesy of Lloyd Macrohon, Rodel Mendrez, Trustwave, 4 May 2021.

 

Last edited: 7 May 2021 11:41 am