Docker API endpoints exposed on the Internet are under attack by a sophisticated cryptojacking campaign called Commando Cat.
“The campaign uses a harmless container generated using Project Commando,” Cado security researchers Nate Bill and Matt Muir said in a new report released today. “The attacker escapes this container and executes multiple payloads on the Docker host.”
The campaign is believed to have been active since early 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on another cluster of activity targeting vulnerable Docker hosts to deploy the XMRig cryptocurrency miner and 9Hits Viewer software.
Commando Cat uses Docker as the initial access vector to deliver a collection of interdependent payloads from an actor-controlled server responsible for persistence logging, host backdooring, cloud service provider (CSP) credential exfiltration, and miner’s boot.
The foothold gained by hacking sensitive Docker instances is later abused to deploy a harmless container using the open source tool Commando and execute a malicious command that allows it to escape the confines of the container via the chroot command.
It also runs a series of checks to determine whether services named “sys-kernel-debugger”, “gsc”, “c3pool_miner” and “dockercache” are active on the compromised system and proceeds to the next step only if this step passes.
“The purpose of the sys-kernel-debugger control is unclear: this service is not used anywhere in malware, nor is it part of Linux,” the researchers said. “It is possible that the service is part of another campaign that the attacker does not want to compete with.”
The next step involves eliminating additional payloads from the command and control (C2) server, including a shell script backdoor (user.sh) that can add an SSH key to the ~/.ssh/authorized_keys file and create a unauthorized user named “games” with a password known to the attacker and including it in the /etc/sudoers file.
Similarly, three other shell scripts are also provided – tshd.sh, gsc.sh, aws.sh – designed to eliminate Tiny SHell and a makeshift version of netcat called gs-netcat and exfiltrate credentials
Threat actors “execute a command on the cmd.cat/chattr container that fetches the payload from their C2 infrastructure,” Muir told The Hacker News, noting that this is accomplished by using curl or wget and piping the resulting payload directly in the bash command shell.
“Instead of using /tmp, [gsc.sh] instead it uses /dev/shm, which acts as a temporary but memory-backed file store,” the researchers said. “It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp. “
“This ensures that the artifacts do not touch the disk, making forensic analysis a little more difficult. This technique was previously used in BPFdoor, a high-profile Linux campaign.”
The attack culminates in the deployment of another payload that is delivered directly as a Base64 encoded script instead of being fetched by the C2 server, which, in turn, releases the XMRig cryptocurrency miner but not before eliminating competing miner processes from the infected machine.
The exact origins of the threat actor behind Commando Cat are currently unclear, although the shell scripts and C2 IP address have been observed to overlap with those linked to cryptojacking groups such as TeamTNT in the past, raising the possibility that could be a copycat group.
“The malware functions as a credential stealer, a highly stealthy backdoor, and a cryptocurrency miner all in one,” the researchers said. “This makes it versatile and able to extract as much value as possible from infected machines.”