Security researcher Kirk Sayre discovered the new phishing campaign using the Finger Command to infect Windows 10 device with malware. Finger command is used display information about users on the remote machine but can be used to download MineBridge malware on an unsuspecting victim’s device. It works in this way:
- The victim received the phishing email containing the document;
- The victim then clicks to enable editing the document, a macro will run that uses the Finger Command to download a Base64 encoded certificate that is actually a malware executable;
- The downloader then uses DLL hijacking to sideload the MineBridge malware.
<p style=\"font-weight: 400;\">Phishing emails can often be quite easy to spot, but when CVs are attached to emails and sent to HR departments seemingly innocently, the chance of an exploit is heightened. Locating malware in macros in Word documents is nothing new, but this malware is particularly damaging as it can be deployed by just enabling the editing function.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Recruiters may want to request CVs are attached as PDFs as they are not required to be edited. Furthermore, it would be a good idea for administrators to block the rarely used command.</p>
<p>This is an example of a ‘Living Off The Land’ attack, which are becoming increasingly common as it is very difficult to detect or mitigate an exploit that uses intended functionality. Unfortunately, much like phishing campaigns, these attacks are difficult to defend against, therefore users\’ best defence is to be aware of their existence and to be on the look for the tell-tale signs of a compromise. There are however different projects being developed that combine scripts, libraries and binaries to help detect and block such attacks (LOLBAS project, GTFOBins, JPCERT), but these are not very accessible to the average user, who will likely remain exposed to the risk of Living Off The Land attacks unless similar detection methods are implemented by the likes of Microsoft directly.</p>
<p>The important bit to understand is that there are hundreds of ways to download code on a windows system, of which finger is just one in the lot. The technique as such is called LOTL, or Living Of The Land, essentially attackers have minimal code that attempts to use as many tools and features as possible when attacking a system to evade detection. The use of finger, or any other such existing binary, is not the cause of the initial infection, or a vulnerability, the code execution occurs when the victim opens that initial document and approves it to run a macro.</p> <p> </p> <p>Neither the malware, nor the downloader or propagation are new or novel techniques, and the risk as well as solution remain the same – never run active content in files received from external entities.</p>