Attackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on victims’ devices.

The ‘Finger’ command is a utility that originated in Linux/Unix/Windows operating systems that allows a local user to retrieve a list of users on a remote machine or information about a particular remote user.

The security researchers discovered a way to use Finger as a LoLBin to download malware from a remote computer or exfiltrate data. LolBins are legitimate programs that can help attackers bypass security controls to fetch malware without triggering a security alert on the system.

MineBridge backdoor malware.

After discovering numerous phishing campaigns targeting South Korean organizations. These phishing emails contain malicious Word documents disguised as job applicant resumes that install the MineBridge malware.

When a victim clicks on the ‘Enabled Editing’ or ‘Enable Content’ buttons, a password protected macro will be executed to download the MineBridge malware and run it.

The deobfuscated command executed by the macro,uses the finger command to download a Base64 encoded certificate from a remote server and saves it as %AppData%\vUCooUr.

The certificate retrieved via the finger command is a base64 encoded malware downloader malware executable. This certificate is decoded using the certutil.exe command, saved as %AppData%\vUCooUr.exe, and then executed.

Once executed, the downloader will download a TeamViewer executable and use DLL hijacking to sideload a malicious DLL, the MineBridge malware. The remote threat actors will gain full access to the computer and allow them to listen in via the infected device’s microphone, and perform other malicious activities.

Collectively, the two C2 methods support commands for downloading and executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone, and gathering system UAC info

Finger is rarely used today, it is suggested that administrators block the Finger command on their network, whether through AppLocker or other methods.