Expert Comments

Experts Insight On Hackers Exploiting The Windows Finger Feature

Expert(s):
Expert(s):

Security researcher Kirk Sayre discovered the new phishing campaign using the Finger Command to infect Windows 10 device with malware. Finger command is used display information about users on the remote machine but can be used to download  MineBridge malware on an unsuspecting victim’s device. It works in this way:

  • The victim received the phishing email containing the document;
  • The victim then clicks to enable editing the document, a macro will run that uses the Finger Command to download a Base64 encoded certificate that is actually a malware executable;
  • The downloader then uses DLL hijacking to sideload the MineBridge malware.

Experts Comments

Dot Your Expert Comments
Jake Moore
January 19, 2021
Cybersecurity Specialist
ESET

Recruiters may want to request CVs are attached as PDFs as they are not required to be edited.

Phishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.

 

Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block

.....Read More

Phishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.

 

Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block the rarely used command.

  Read Less
Jordan Dunne
January 19, 2021
Security Consultant
Edgescan

There are however different projects being developed that combine scripts, libraries and binaries to help detect and block such attacks.

This is an example of a ‘Living Off The Land’ attack, which are becoming increasingly common as it is very difficult to detect or mitigate an exploit that uses intended functionality. Unfortunately, much like phishing campaigns, these attacks are difficult to defend against, therefore users' best defence is to be aware of their existence and to be on the look for the tell-tale signs of a compromise. There are however different projects being developed that combine scripts, libraries and

.....Read More

This is an example of a ‘Living Off The Land’ attack, which are becoming increasingly common as it is very difficult to detect or mitigate an exploit that uses intended functionality. Unfortunately, much like phishing campaigns, these attacks are difficult to defend against, therefore users' best defence is to be aware of their existence and to be on the look for the tell-tale signs of a compromise. There are however different projects being developed that combine scripts, libraries and binaries to help detect and block such attacks (LOLBAS project, GTFOBins, JPCERT), but these are not very accessible to the average user, who will likely remain exposed to the risk of Living Off The Land attacks unless similar detection methods are implemented by the likes of Microsoft directly.

  Read Less
Martin Jartelius
January 19, 2021
CSO
Outpost24

The technique as such is called LOTL.

The important bit to understand is that there are hundreds of ways to download code on a windows system, of which finger is just one in the lot. The technique as such is called LOTL, or Living Of The Land, essentially attackers have minimal code that attempts to use as many tools and features as possible when attacking a system to evade detection. The use of finger, or any other such existing binary, is not the cause of the initial infection, or a vulnerability, the code execution occurs when

.....Read More

The important bit to understand is that there are hundreds of ways to download code on a windows system, of which finger is just one in the lot. The technique as such is called LOTL, or Living Of The Land, essentially attackers have minimal code that attempts to use as many tools and features as possible when attacking a system to evade detection. The use of finger, or any other such existing binary, is not the cause of the initial infection, or a vulnerability, the code execution occurs when the victim opens that initial document and approves it to run a macro.

 

Neither the malware, nor the downloader or propagation are new or novel techniques, and the risk as well as solution remain the same – never run active content in files received from external entities.

  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Qualys Hit With Ransomware And Customer Invoices Leaked

Experts Reaction On PrismHR Hit By Ransomware Attack

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And...

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...