In findings launched by Cado researchers, they found a malware marketing campaign, coined “Commando Cat,” which is concentrating on uncovered Docker API endpoints.
The cryptojacking marketing campaign has solely been lively because the starting of this 12 months however it’s the second concentrating on Docker. The primary one used the 9hits visitors alternate software, in keeping with the researchers. Nevertheless, these Docker assaults aren’t essentially uncommon, particularly in cloud environments.
“This marketing campaign demonstrates the continued willpower attackers have to use the service and obtain quite a lot of targets,” the researchers stated. “Commando Cat is a cryptojacking marketing campaign leveraging Docker as an preliminary entry vector and (ab)utilizing the service to mount the host’s filesystem, earlier than working a sequence of interdependent payloads immediately on the host.”
It’s unclear who the risk actor behind Commando Cat is or the place they’re from, although there’s an overlap in scripts and IP addresses to different teams like Group TNT, indicating a possible connection or a copycat.
Due to the extent of redundancy and the quantity of evasion, the marketing campaign is refined in the way it conceals itself. Performing as a credential stealer, backdoor, and cryptocurrency miner collectively as one, it makes for a extremely stealthy and malicious risk.
