In the findings released by Cado researchers, a malware campaign, called “Commando Cat”, was discovered that targets exposed subjects Docker API Endpoints.
THE cryptojacking campaign it has only been active since the beginning of this year but is the second to target Docker. According to researchers, the first used the traffic exchange application 9hits. However, these Docker attacks are not necessarily rare, especially in cloud environments.
“This campaign demonstrates the attackers’ continued determination to exploit the service and achieve a variety of objectives,” the researchers said. “Commando Cat is a cryptojacking campaign that leverages Docker as the initial access vector and (ab)uses the service to mount the host’s filesystem, before executing a series of interdependent payloads directly on the host.”
It’s unclear who the threat actor behind Commando Cat is or where it came from, although there is overlap in scripts and IP addresses with other groups like Team TNT, indicating a potential connection or impersonator.
Because of the level of redundancy and amount of evasion, the campaign is sophisticated in how it hides itself. Acting as a credential thiefbackdoor and cryptocurrency miner together as one, constitute a highly stealthy and malicious threat.