Hello, welcome to the Wednesday, June 2, 2021 edition of the Sandinternet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Renato today analyzes a recent version of the Guildmower Astoroth Malver that he came across and well it's remarkable in so far as it's

using a fairly old Unix utility that's also found on Windows finger.

Finger in the past had been used in order to check on the status of remote users who is logged into a particular

system and also which accounts exist. Given that the utility didn't really know any

off occasion and wasn't really that terribly useful, it has since pretty much been forgotten, but apparently

Windows still includes a fingerclined, and this latest version of Giltma is taking advantage

of this by using this utility to retrieve additional commands. As so many information security stories, it starts with an email that contains a SIP file as an attachment,

and instead of a PDF, as promised, it includes a link file that's then being used to startfinger.e.

And retrieve additional commands from the attackers command and control server.

The reply from this finger command will then be used to create a visual basic script

and that is being executed to then download additional malware.

Also taking advantage later of good old

Bits admin, which of course is often used to send HTTP requests and retrieve malicious

binaries like in this case. So overall, a pretty neat use of sort of the living off the land

techniques. Bits admin of course course, has been used quite often

for that. Finger is a little bit of a new way of starting it all off. As far as preventive or

detective measures go, take a look for connections to and from Port 79. That's the port used by

finger by default. And I believe it's safe to

just remove that executable from your window systems. And researchers at the University of Luxembourg

...