I found this packet capture upload on PacketTotal, and noticed it was using ICMP tunneling to communicate with its command-and-control server.
The alert written on PacketTotal is “OpenSSH in ICMP Payload”. The Alert Signature field states that OpenSSH was detected over ICMP.
I downloaded the pcap from PacketTotal:
… and opened it up in Wireshark.
In the ICMP protocol, there are the Type, Code (essentially a subtype), Checksum, and Data fields.
I scrolled down in Wireshark until I found this request:
Sure enough, we have an ICMP request with the following fields: Type: 8 (Request) Code: 0 Checksum: 0x0000, Data: The SSH key negotiation!
You can download any packet capture on PacketTotal.com. Try it yourself!