A phishing campaign has been discovered that targets the Windows Finger command to install a malware strain titled called MineBridge.
The Finger command in Windows can be launched by a local user to gather a list of users on a remote machine or, alternatively, to collect data in relation to a specific remote user. The Finger utility began in Linux and Unix operating systems but is also incorporated in Windows. The utility permits allows commands to be completed to see if a particular user is logged on, although this is now rarely employed.
There are also security issues with the finger utility, and it has been taken advantage of previously to ascertain basic information about users that can be targeted in social engineering attacks. Weaknesses in the finger protocol have also been exploited in the past by some malware strains.
Recently, security experts discovered Finger can be deployed as a LOLBin to install malware from a remote server or to remove data without resulting in security alerts being generated. Finger is now being used in at least one phishing campaign to install malware.
MineBridge malware is a Windows backdoor composed in C++ that has previously been deployed in attacks on South Korean businesses. The malware was initially discovered in December 2020 by experts at FireEye and in January 2020 many different campaigns were identified spreading the malware via phishing emails with malicious Word files.
The most recent campaign sees the hackers pretend to be a recruitment business. The email is a recommendation of an individual for consideration for a position at the targeted company. The sender recommends even if there are no current vacancies, the CV should be reviewed, and the individual considered. The email is well written and seems genuine.
As is typical in phishing attacks, if the document is clicked on a message will be shown that tells the user the document has been set up in an older version of Windows and to review the content the user must ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will gather and install a Base64 encoded certificate using the Finger command. The certificate is a malware installer that leverages DLL hijacking to sideload the MineBridge backdoor. Once in place, MineBridge will give the hacker control over an infected device and allow a range of malicious actions to be carried out.
It is simplest to prevent attacks like this by configuring an advanced spam filtering solution to block the dangerous emails and stop them from reaching inboxes. As an extra security measure against this and other campaigns that target the Finger.exe utility in Windows, admins should thin about turning off disabling finger.exe if it is never employed.