Security researcher Kirk Sayre discovered the new phishing campaign using the Finger Command to infect Windows 10 device with malware. Finger command is used display information about users on the remote machine but can be used to download MineBridge malware on an unsuspecting victim’s device. It works in this way:
- The victim received the phishing email containing the document;
- The victim then clicks to enable editing the document, a macro will run that uses the Finger Command to download a Base64 encoded certificate that is actually a malware executable;
- The downloader then uses DLL hijacking to sideload the MineBridge malware.
Experts Comments
This is an example of a ‘Living Off The Land’ attack, which are becoming increasingly common as it is very difficult to detect or mitigate an exploit that uses intended functionality. Unfortunately, much like phishing campaigns, these attacks are difficult to defend against, therefore users' best defence is to be aware of their existence and to be on the look for the tell-tale signs of a compromise. There are however different projects being developed that combine scripts, libraries and
.....Read MoreThe important bit to understand is that there are hundreds of ways to download code on a windows system, of which finger is just one in the lot. The technique as such is called LOTL, or Living Of The Land, essentially attackers have minimal code that attempts to use as many tools and features as possible when attacking a system to evade detection. The use of finger, or any other such existing binary, is not the cause of the initial infection, or a vulnerability, the code execution occurs when
.....Read MoreDot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
Phishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.
Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block
.....Read MorePhishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.
Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block the rarely used command.
Read LessLinkedin Message
@Jake Moore, Cybersecurity Specialist, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Recruiters may want to request CVs are attached as PDFs as they are not required to be edited...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/experts-insight-on-hackers-exploiting-the-windows-finger-feature
Facebook Message
@Jake Moore, Cybersecurity Specialist, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Recruiters may want to request CVs are attached as PDFs as they are not required to be edited...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/experts-insight-on-hackers-exploiting-the-windows-finger-feature