Pingback Malware Uses the IMCP Windows Service for Sneaky C2 Communication

Malware researchers have identified a peculiar new malware family that targets Windows systems. It uses a popular trick known as DLL hijacking to fool the Windows operating system into running a maliciously modified DLL stored in a system folder. Typically, many of the DLL files in these folders are trusted by Windows, and they will be loaded by various Windows components without checking their legitimacy. Of course, this can be prevented by using an up-to-date antivirus software suite, which will terminate harmful files before they get a chance to cause trouble.

The Pingback Malware appears to mask itself as an 'oci.dll' file, which is loaded by the Microsoft Distributed Transaction Control service. However, DLL hijacking is by no means a novel technique – it has been used by hackers for years, and this is not the special thing about this project. What is special about the Pingback Malware is that it relies on the Internet Control Message Protocol (IMCP) to communicate with the control server – the same protocol is being used for basic Windows commands like ping and tracert.

The malicious implant waits for incoming ICMP packets, which are marked with one of three special number sequences – one tells the implant to check for a command to execute, while another one tells it to accept a payload. The third one, in the meantime, is used to return a response to the control server. ICMP communication can go under the radar of network traffic monitoring tools, so it is not surprising that the Pingback Malware's creators have opted to use it.

Systems protected by an up-to-date antivirus tool are safe from Pingback Malware's attacks. Of course, computer operators should still try to stay safe while browsing the Web – avoid interacting with unknown content, shady websites, pirated software/media and, of course, always be wary of random email attachments.