Security News > 2021 > May > New Windows 'Pingback' malware uses ICMP for covert communication
Dubbed "Pingback," this malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence.
Abuses real Windows service to load malicious DLL. Today, Trustwave senior architect Lloyd Macrohon and principal security researcher Rodel Mendrez, have released their findings on a novel Windows malware that exists as a 64-bit DLL. Of note is the malware sample's choice of the communication protocol being ICMP, which is also used by the popular ping command and the Windows traceroute utility.
DLL Hijacking is a technique used by attackers on Windows systems that involves placing a malicious DLL file in one of the folders trusted by the Windows operating system, such that a legitimate system application picks up and runs the malicious DLL file.
Exe is present on the list of over 300 Windows executables that make the perfect candidates for DLL Hijacking, as compiled by PwC researcher Wietze Beukema.
Dll in the Windows "System" folder and configuring msdtc to run on every startup.
Dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server.