Analytics Story: Backdoor Pingpong
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to Backdoor.PingPong malware, a legacy threat that provides unauthorized remote access to compromised systems. Look for signs such as unexpected pings or ICMP traffic patterns that deviate from normal behavior. Investigate unauthorized processes or network connections, particularly those attempting to establish external communication. Combining threat intelligence with behavioral analytics helps identify this backdoor’s attempts to exploit vulnerabilities. Early detection and response are critical to mitigating the risk of this malware.
Why it matters
Backdoor.PingPong is an older malware family designed to provide unauthorized remote access to compromised systems. It often utilizes ICMP traffic, including ping requests, as a covert communication channel to receive commands or exfiltrate data. Despite its simplicity compared to modern threats, it can still be effective in environments with inadequate monitoring. By exploiting system vulnerabilities or poor network segmentation, PingPong enables attackers to maintain persistence and control. Detecting its activity requires careful analysis of network traffic and unusual process behaviors.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Palo Alto Network Traffic |  Network |
pan:traffic |
screenconnect_palo_traffic |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Sysmon for Linux EventID 11 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
Source: GitHub | Version: 1