Pingback Backdoor Activity

 1title: Pingback Backdoor Activity
 2id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
 3related:
 4    - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
 5      type: similar
 6    - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators
 7      type: similar
 8status: test
 9description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
10references:
11    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
12    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
13author: Bhabesh Raj
14date: 2021-05-05
15modified: 2023-02-17
16tags:
17    - attack.privilege-escalation
18    - attack.persistence
19    - attack.execution
20    - attack.stealth
21    - attack.t1574.001
22    - detection.emerging-threats
23logsource:
24    product: windows
25    category: process_creation
26detection:
27    selection:
28        ParentImage|endswith: '\updata.exe'
29        CommandLine|contains|all:
30            - 'config'
31            - 'msdtc'
32            - 'start'
33            - 'auto'
34    condition: selection
35falsepositives:
36    - Unlikely
37level: high

References

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel

  
  Read More

• Analysis updata.exe (MD5: 0029C70428A8535A9A3D753E039C8097) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• APT27 - Emissary Panda Activity
• DLL Names Used By SVR For GraphicalProton Backdoor
• Diamond Sleet APT DLL Sideloading Indicators
• Lazarus APT DLL Sideloading Activity
• Pingback Backdoor DLL Loading Activity