Commando Cat Cryptojacking attacks target misconfigured docker instances.
07-June-24
The threat actor known as Commando Cat has been linked to an ongoing cryptojacking attack campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners for financial gain. “The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure,” Trend Micro researchers Sunil Bharti and Shubham Singh said in a Thursday analysis.
Commando Cat, so named for its use of the open-source Commando project to generate a benign container, was first documented earlier this year by Cado Security. The attacks are characterized by the targeting of misconfigured Docker remote API servers to deploy a Docker image named cmd.cat/chattr, which is then used as a basis to instantiate a container and break out of its confines using the chroot command, and gain access to the host operating system.
The final step entails retrieving the malicious miner binary using a curl or wget command from a C&C server (“leetdbs.anondns[.]net/z”) by means of a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot based on the Kaiten (aka Tsunami) malware.
“The significance of this attack campaign lies in its use of Docker images to deploy cryptojacking scripts on compromised systems,” the researchers said. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”
