Experts Insight On Hackers Exploiting The Windows Finger Feature

Security researcher Kirk Sayre discovered the new phishing campaign using the Finger Command to infect Windows 10 device with malware. Finger command is used display information about users on the remote machine but can be used to download  MineBridge malware on an unsuspecting victim’s device. It works in this way:

  • The victim received the phishing email containing the document;
  • The victim then clicks to enable editing the document, a macro will run that uses the Finger Command to download a Base64 encoded certificate that is actually a malware executable;
  • The downloader then uses DLL hijacking to sideload the MineBridge malware.

Experts Comments

January 19, 2021
Jake Moore
Cybersecurity Specialist
ESET

Phishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.

 

Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block

.....Read More

Phishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.

 

Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block the rarely used command.

  Read Less
January 19, 2021
Jordan Dunne
Security Consultant
Edgescan

This is an example of a ‘Living Off The Land’ attack, which are becoming increasingly common as it is very difficult to detect or mitigate an exploit that uses intended functionality. Unfortunately, much like phishing campaigns, these attacks are difficult to defend against, therefore users' best defence is to be aware of their existence and to be on the look for the tell-tale signs of a compromise. There are however different projects being developed that combine scripts, libraries and

.....Read More

This is an example of a ‘Living Off The Land’ attack, which are becoming increasingly common as it is very difficult to detect or mitigate an exploit that uses intended functionality. Unfortunately, much like phishing campaigns, these attacks are difficult to defend against, therefore users' best defence is to be aware of their existence and to be on the look for the tell-tale signs of a compromise. There are however different projects being developed that combine scripts, libraries and binaries to help detect and block such attacks (LOLBAS project, GTFOBins, JPCERT), but these are not very accessible to the average user, who will likely remain exposed to the risk of Living Off The Land attacks unless similar detection methods are implemented by the likes of Microsoft directly.

  Read Less
January 19, 2021
Martin Jartelius
CSO
Outpost24

The important bit to understand is that there are hundreds of ways to download code on a windows system, of which finger is just one in the lot. The technique as such is called LOTL, or Living Of The Land, essentially attackers have minimal code that attempts to use as many tools and features as possible when attacking a system to evade detection. The use of finger, or any other such existing binary, is not the cause of the initial infection, or a vulnerability, the code execution occurs when

.....Read More

The important bit to understand is that there are hundreds of ways to download code on a windows system, of which finger is just one in the lot. The technique as such is called LOTL, or Living Of The Land, essentially attackers have minimal code that attempts to use as many tools and features as possible when attacking a system to evade detection. The use of finger, or any other such existing binary, is not the cause of the initial infection, or a vulnerability, the code execution occurs when the victim opens that initial document and approves it to run a macro.

 

Neither the malware, nor the downloader or propagation are new or novel techniques, and the risk as well as solution remain the same – never run active content in files received from external entities.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.