New Pingback Malware Using ICMP Tunneling to Evade C&C Detection

2021-05-08 05:35

Researchers on Tuesday disclosed a novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected systems.

Called 'Pingback,' the Windows malware leverages Internet Control Message Protocol tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code, according to an analysis published today by Trustwave.

Upon successful execution, Pingback resorts to using the ICMP protocol for its main communication.

Some of the commands supported by the malware include the capability to run arbitrary shell commands, download and upload files from and to the attacker's host, and execute malicious payloads on the infected machine.

"ICMP tunneling is not new, but this particular sample piqued our interest as a real-world example of malware using this technique to evade detection," the researchers said.

"ICMP is useful for diagnostics and performance of IP connections, [but] it can also be misused by malicious actors to scan and map a target's network environment. While we are not suggesting that ICMP should be disabled, we do suggest putting in place monitoring to help detect such covert communications over ICMP.".

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/W9afjY854iY/new-pingback-malware-using-icmp.html

#malware