Exposed Docker APIs are under attack in the ‘Commando Cat’ cryptojacking campaign

Cryptojacking Campaign

Exposed Docker API endpoints over the internet are being attacked by a sophisticated cryptojacking campaign called Commando Cat.

“The campaign uses a benign container generated using the Commando project”, Cado security researchers Nate Bill and Matt Muir said in a new report published today. “The attacker escapes from this container and runs multiple payloads on the Docker host.”

The campaign is believed to have been active since early 2024, making it the second such campaign discovered in as many months. In mid-January, the cloud security company also shed light on another cluster of activity targeting vulnerable Docker hosts to deploy the XMRig cryptocurrency miner and 9Hits Viewer software.

Commando Cat uses Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server responsible for registering persistence, host backdoor, exfiltrating cloud service provider (CSP) credentials ) and starting the miner.

The foothold gained from breaching sensitive Docker instances is then exploited to deploy a harmless container using the open source Command tool and execute a malicious command that destroys it via the chroot command can escape the boundaries of the container.

It also performs a series of checks to determine whether services named “sys-kernel-debugger”, “gsc”, “c3pool_miner” and “dockercache” are running on the compromised system, and only proceeds to the next stage if this step succeeds.

“The purpose of checking for sys-kernel-debugger is unclear: this service is not used anywhere in the malware and is not part of Linux,” the researchers said. “It is possible that the service is part of another campaign that the attacker does not want to compete with.”

The next phase involves removing additional payloads from the command-and-control (C2) server, including a shell script backdoor (user.sh) capable of adding an SSH key to the server . ~/.ssh/authorized_keys file and creating a fraudulent user named “games” with a password known to the attacker and including it in the /etc/sudoers file.

Cryptojacking campaign

Similarly, three more shell scripts are also provided – tshd.sh, gsc.sh, aws.sh – designed to run Tiny SHell and an improvised version of netcat called gs-netcat, and exfiltrate credentials

The threat actors “execute a command on the cmd.cat/chattr container that pulls the payload from their own C2 infrastructure,” Muir told The Hacker News, noting that this is accomplished by using curl or wget and the resulting payload directly to the bash. commandshell.

“Instead of using /tmp, [gsc.sh] also used /dev/shm instead, it acts as a temporary file store, but memory is backed up instead,” the researchers said. “It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp.”

“This also means that the artefacts do not touch the drive, making forensic investigations somewhat more difficult. This technique has been used before in BPFdoor – a high-profile technique Linux campaign.”

The attack culminates in the deployment of another payload delivered directly as a Base64 encoded script, rather than being retrieved from the C2 server, which in turn removes the XMRig cryptocurrency miner, but not before competing miner processes from the infected machine are eliminated.

The exact origin of the threat actor behind Commando Cat is currently unclear, although the shell scripts and C2 IP address have been observed to overlap with those historically associated with cryptojacking groups such as TeamTNT, raising the possibility that it is a copycat group. .

“The malware functions as a credential thief, a highly stealthy backdoor, and a cryptocurrency miner all in one,” the researchers said. “This makes it versatile and capable of extracting as much value from infected machines as possible.”



#Exposed #Docker #APIs #attack #Commando #Cat #cryptojacking #campaign

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
FritzFrog

FritzFrog returns with Log4Shell and PwnKit and spreads malware within your network

Next Post
KV-Botnet

US Feds shut down China-linked ‘KV-Botnet’ targeting SOHO routers

Related Posts