Cybersecurity researchers from Cado Security recently discovered an advanced new cryptojacking campaign that targets exposed Docker API endpoints over the internet
The campaign, called “Commando Cat”, has been active since early 2024, the researchers added, saying that this was the second such campaign to be discovered in just two months.
According to the report, the attackers would deliver an interdependent payload from their own server, leveraging Docker as an initial access vector. The first container, built using the Commando open-source tool, is seemingly benign, but allows the attackers to escape the container and run multiple payloads on the Docker host itself.
Copycats
The payloads delivered depend on the short-term goals of the campaign, and include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and launching cryptocurrency miners, the researchers explained. The cryptocurrency miner being deployed as part of this campaign is the infamous XMRig, a hugely popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that’s almost impossible to trace.
Commando cat uses a different folder to temporarily store stolen files, Cado Security’s researchers added, suggesting this was done as an evasion mechanism. Indeed, this makes forensic analysis more challenging, they said.
At press time, the researchers don’t know who the threat actors behind Commando Cat are, but say they noticed overlaps in shell scripts and C2 IP addresses with another cryptojacking group called TeamTNT. Still, Cado doesn’t believe TeamTNT to be behind this particular campaign, and rather leans towards a copycat group.
To defend against such attacks, users are advised to update their Docker instances and implement necessary security measures, the researchers concluded.
Earlier this month, the same cybersecurity team discovered a similar campaign, targeting vulnerable Docker hosts to deploy both XMRig and the 9Hits Viewer software. 9hits is a web traffic exchange platform, where users can drive traffic among themselves. When a user installs 9hits, their device visits other members’ websites via a headless Chrome instance. In exchange, the user receives credits which they can then spend to drive traffic to their own sites. By installing 9hits on compromised Docker instances, the attackers generate additional credits which they can then exchange for more traffic for themselves.
Via The Hacker News
