Criminals Revive Ancient ‘Finger’ Command for Malicious Attacks
A software tool that has largely faded from common use is now being exploited by cybercriminals for malicious purposes. The ancient “finger” command, originally designed to retrieve user information on Unix and later Windows systems, is witnessing a resurgence in attacks aimed at executing harmful code. Security researchers have reported a notable increase in campaigns utilizing this tool, particularly in scams known as “ClickFix,” where users are tricked into executing seemingly innocuous commands.
The Finger service, despite being considered outdated, is still supported by most operating systems, making it a target for attackers. According to research from Bleeping Computer, recent attacks leverage the Finger service as a conduit for harmful scripts. In one incident shared on social media platform Reddit, a user unwittingly executed a command after responding to a fake Captcha prompt. This command initiated a Finger call, which relayed information directly to the Windows command prompt, allowing malicious code to be reloaded and executed instantly.
Security experts have analyzed these attacks and discovered that the Finger responses often contain scripts that create temporary directories, rename essential system tools such as “curl,” and download malware from designated servers. In one documented case, a fake PDF archive was unpacked, revealing a Python module designed for spying. Other variations of the attack delivered the remote maintenance Trojan NetSupport Manager, which provides attackers with extensive control over compromised systems.
In some instances, these malicious routines are programmed to detect security analysis tools like Wireshark or Process Hacker. If found, the malware will terminate its own processes to avoid detection. Experts believe that these attacks likely originate from a single actor, highlighting the method’s effectiveness despite its simplicity. The reliance on social engineering tactics ensures that users inadvertently execute dangerous commands themselves.
To mitigate these risks, security researchers recommend blocking outgoing connections through TCP port 79, which is the port associated with the Finger service. Additionally, users should be cautioned against executing commands from unknown sources in the command line, regardless of how harmless they may appear.
As cyber threats evolve, it is crucial for users and organizations to remain vigilant. Awareness and education about these tactics can significantly reduce the likelihood of falling victim to such scams.
