Decades‑old Finger Protocol Abused in ClickFix Attacks — Why Small Commands Can Cause Big Damage

The Finger protocol — a relic from the early internet used to query user info on remote hosts — has quietly reappeared in modern malware campaigns. Attackers are weaponizing Finger as a low‑noise remote script delivery channel inside ClickFix social‑engineering attacks: victims are tricked into running a short Windows command that runs the Finger query and pipes its output into cmd.exe, which then executes remote instructions. The result is a compact, resilient delivery chain that bypasses some detection patterns, installs loaders or RATs (NetSupport, Python infostealers), and establishes persistent access.

How the attack works (simple flow)

1. Victim receives a ClickFix-style prompt (fake captcha or verification) instructing them to run a short command (e.g., via Win+R).
2. The command runs the Finger client to query a malicious Finger server (TCP port 79) and pipes the server response into cmd.exe..
3. The server‑supplied response contains shell commands that download and unpack payloads (often disguised as PDFs), copy utilities (curl), and run staged malware.
4. Malware installs persistence (scheduled tasks, registry Run keys) and deploys remote access, keylogging, or infostealer components.
5. The victim sees a benign “verify you are human” message while the compromise proceeds in the background.

Why this is effective and dangerous

• Low‑visibility channel: Finger traffic over port 79 is uncommon in modern environments and may not be profiled or inspected by many defenses.
• Minimal user interaction required: The social engineering step is short and plausible (a verification prompt), and victims are coaxed into running a single command.
• Simple execution chain: By piping command text from the Finger server directly into cmd.exe, attackers avoid hosting obvious script files on the target.
• Evasion checks: Some campaigns probe for analysis tools and abort if sandbox artifacts are present, reducing the chance of detection and public reporting.
• Diverse payloads: Campaigns have dropped Python packages, loaders, and NetSupport RAT, enabling credential theft, remote control, and lateral movement.

Actionable defenses (what defenders should do now)

• Block and monitor port 79 egress: Prevent outbound TCP 79 where policy allows; at minimum log and alert on it (proxy, FW, NDR).
• Educate users about ClickFix and short-run commands: Train staff never to paste or run commands from web pages, chats, or pop-ups; treat “paste this command” prompts as high‑risk.
• Restrict command execution on user endpoints: Use application allow‑listing and PowerShell/Win32exec restrictions; block execution of cmd/curl/python from nonstandard locations.
• Detect clipboard and run‑dialog abuse: Alert on patterns where browsers or web pages trigger clipboard changes followed by Run dialog commands or immediate cmd.exe invocations.
• Harden admin workstations: Prevent admin tooling downloads from search results; restrict admin tasks to hardened jump hosts with controlled software catalogs.
• EDR hunting: Search for indicators — commands piping external input into cmd.exe, curl being copied to unusual filenames, scheduled tasks created by user contexts, and Python packages executed by pythonw.exe..
• Network detection: Look for Finger protocol traffic or unusual HTTP/HTTPS alternates to finger servers; flag repeated small TCP flows to uncommon hosts.

Incident response checklist (if you detect activity)

1. Isolate affected host(s) and preserve volatile data (memory, process lists, clipboard history if possible).
2. Collect forensic artifacts: cmd histories, scheduled tasks, registry Run keys, downloaded ZIPs, unpacked files, and network captures.
3. Revoke and rotate credentials that may have been accessed; reset sessions for impacted accounts.
4. Reimage compromised hosts if persistence or credential theft is confirmed; otherwise remove persistence and harden before returning to production.
5. Hunt broadly for lateral movement and other compromised hosts using similar indicators.
6. Report IoCs and update blocklists for internal tooling and threat intel sharing communities.

Final thought

The Finger abuse is a textbook example of how old, rarely monitored protocols become attractive to attackers: they offer novel channels that slip past maturity gaps in defenses. The fix is straightforward in principle — block or monitor atypical protocols, reduce the temptation for users to execute ad‑hoc commands, and harden endpoint execution policies — but requires coordinated changes across network, endpoint, and user awareness programs. Treat uncommon network ports and simple “paste this command” social engineering as first‑class risks.