Cybersecurity

'Commando Cat' Cryptojacking Campaign Targets Exposed Docker APIs

Commando Cat, a sophisticated cryptojacking campaign, is attacking exposed Docker API endpoints on the internet.

Feb 1, 2024 - 06:00
  Source
 0  19
'Commando Cat' Cryptojacking Campaign Targets Exposed Docker APIs

A sophisticated cryptojacking operation named Commando Cat is exploiting internet-exposed Docker API endpoints, according to security researchers Nate Bill and Matt Muir from Cado Security.

Active since early 2024, Commando Cat utilizes Docker for initial access, deploying a seemingly harmless container created with the Commando open-source project. The attackers then break out of this container to execute various malicious activities on the Docker host.

This campaign marks the second major Docker-targeted attack revealed within a few months. Previously, Cado Security uncovered an operation deploying the XMRig cryptocurrency miner and the 9Hits Viewer software on vulnerable Docker hosts.

Key aspects of the Commando Cat campaign include:

  1. Using Docker for Initial Access: The campaign starts by compromising Docker instances to deliver multiple interlinked payloads from a server controlled by the attackers. These payloads are designed for persistence, host backdooring, credential theft for cloud service providers, and initiating a cryptocurrency mining process.

  2. Container Escape and Payload Execution: The attackers deploy a benign container via Commando and execute a command allowing them to escape the container using the chroot command.

  3. System Checks: The malware performs checks to identify if certain services (like "sys-kernel-debugger," "gsc," "c3pool_miner," and "dockercache") are running on the compromised system. It proceeds to the next stage only if these checks are passed. The presence of the "sys-kernel-debugger" service is particularly notable as its purpose in the malware is unclear, suggesting it might be related to another campaign.

  4. Additional Payload Deployment: After passing the checks, the campaign retrieves more payloads from the command-and-control server. This includes a shell script backdoor (user.sh) capable of adding an SSH key to the ~/.ssh/authorized_keys file. It also creates a new user named "games" with a known password to the attackers and adds it to the /etc/sudoers file for escalated privileges.

The Commando Cat campaign highlights the ongoing risks of exposed Docker instances and the sophisticated methods attackers use to exploit such vulnerabilities for cryptojacking and other malicious purposes.

Cryptojacking Campaign

The Commando Cat campaign, targeting exposed Docker API endpoints, deploys a series of sophisticated shell scripts to facilitate a cryptojacking attack, as detailed by researchers Nate Bill and Matt Muir from Cado Security.

The campaign's complexity includes multiple stages, beginning with a command that pulls payloads directly from the attacker's command-and-control (C2) infrastructure using tools like curl or wget. These payloads are then executed through the bash command shell. Matt Muir from The Hacker News highlights this tactic, noting its efficiency in payload delivery.

Included in these payloads are three distinct shell scripts – tshd.sh, gsc.sh, and aws.sh. These scripts serve various purposes:

  1. tshd.sh: A script for deploying Tiny SHell, a minimalist Unix shell.
  2. gsc.sh: Used to install an improvised version of netcat, known as gs-netcat.
  3. aws.sh: Aimed at exfiltrating credentials.

Interestingly, the gsc.sh script uses /dev/shm instead of the more common /tmp directory. This choice, likely an evasion tactic, ensures that the artifacts remain memory-based and don’t touch the disk, complicating forensic analysis. This approach is reminiscent of tactics used in the high-profile BPFdoor Linux campaign.

The final stage of the attack involves the deployment of a Base64-encoded script directly, rather than fetching it from the C2 server. This script then installs the XMRig cryptocurrency miner, ensuring to first terminate any competing mining processes on the infected system.

The origins of the threat actors behind Commando Cat remain uncertain. However, similarities in the shell scripts and the C2 IP address suggest possible connections to known cryptojacking groups like TeamTNT, indicating that Commando Cat might be a copycat group or an evolution of these earlier groups.

Summarizing their findings, the Cado Security researchers describe Commando Cat as a multi-functional malware, serving as a credential stealer, a stealthy backdoor, and a cryptocurrency miner. This combination makes it a particularly versatile threat capable of extracting maximum value from compromised systems.

Tags:

Previous Article

Get Lifetime Access to the Ultimate Task Management Tool for Just $25

Next Article

Probabl is a freshly established AI company that is based on the widely used lib...

Related Posts

VexTrio: The Cybercrime Equivalent of Uber - Facilitating Malware for Over 60 Affiliates

VexTrio: The Cybercrime Equivalent of Uber - Facilitati...

Jan 23, 2024  0  38

Apple Releases Fix for Crucial Zero-Day Vulnerability in iPhones, Macs - Update Immediately

Apple Releases Fix for Crucial Zero-Day Vulnerability i...

Jan 23, 2024  0  18

Botnet IPStorm with 23,000 proxies used for harmful traffic has been dismantled.

Botnet IPStorm with 23,000 proxies used for harmful tra...

Nov 15, 2023  0  32