Pingback: Backdoor At The End Of The ICMP Tunnel

josephine

Bardzo aktywny
Zasłużony
Dołączył
14 Czerwiec 2020
Posty
3996
Reakcje/Polubienia
22132
SpiderLabs Blog | Trustwave - “Pingback: Backdoor At The End Of The ICMP Tunnel“ - By Lloyd Macrohon, Rodel Mendrez - May 04, 2021

HOFqTet.png


Introduction
In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack. Malware using ICMP is not new but is relatively uncommon. Because of this, and the presence of certain strings, we decided to name this malware ‘Pingback’. Below we demonstrate how Pingback’s protocols work and also provide sample code on how we interacted with the malware.

We begin by looking at how Pingback achieves persistence through DLL hijacking.

Persistence through DLL Hijacking
DLL (Dynamic Link Library) hijacking is a technique that involves using a legitimate application to preload a malicious DLL file. Attackers commonly abuse the Windows DLL Search Order and take advantage of this to load a malicious DLL file instead of the legitimate one.

The file we investigated was a DLL file called oci.dll. We knew that the file was suspicious during our initial triaging, but we could not figure how it was loaded into the system because the DLL was not loaded through traditional rundll32.exe.

We found out later that it got loaded through a legitimate service called msdtc (a.k.a Microsoft Distributed Transaction Coordinator). This service, as the name suggests, coordinates transactions that span multiple machines, such as databases, message queues, and file systems.


It turns out the msdtc service indirectly loads oci.dll through MSDTCTM.DLL that loads an ODBC library to support Oracle databases called MTXOCI.DLL. This library searches for and tries to load three Oracle ODBC DLLs which include oci.dll, SqlLib80.dll, and xa80.dll...

By default, the three Oracle DLLs do not exist in the Windows system directory. So, in theory, an attacker with system privileges can drop a malicious DLL and save it using one of the DLL filenames that MTxOCI loads. We have experimented with dropping all three DLL filenames but only oci.dll was successfully loaded by the service...

Read More:
Zaloguj lub Zarejestruj się aby zobaczyć!
 
Do góry