Uncovered Docker API endpoints over the web are underneath assault from a complicated cryptojacking marketing campaign known as Commando Cat.
“The marketing campaign deploys a benign container generated utilizing the Commando venture,” Cado safety researchers Nate Invoice and Matt Muir stated in a brand new report printed at present. “The attacker escapes this container and runs a number of payloads on the Docker host.”
The marketing campaign is believed to have been energetic because the begin of 2024, making it the second such marketing campaign to be found in as many months. In mid-January, the cloud safety agency additionally make clear one other exercise cluster that targets susceptible Docker hosts to deploy XMRig cryptocurrency miner in addition to the 9Hits Viewer software program.
Commando Cat employs Docker as an preliminary entry vector to ship a group of interdependent payloads from an actor-controlled server that’s chargeable for registering persistence, backdooring the host, exfiltrating cloud service supplier (CSP) credentials, and launching the miner.
The foothold obtained by breaching vulnerable Docker cases is subsequently abused to deploy a innocent container utilizing the Commando open-source instrument and execute a malicious command that enables it to flee the confines of the container through the chroot command.
It additionally runs a collection of checks to find out if companies named “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” are energetic on the compromised system, and proceeds to the subsequent stage provided that this step passes.
“The aim of the test for sys-kernel-debugger is unclear – this service shouldn’t be used anyplace within the malware, neither is it a part of Linux,” the researchers stated. “It’s doable that the service is a part of one other marketing campaign that the attacker doesn’t wish to compete with.”
The succeeding part entails dropping extra payloads from the command-and-control (C2) server, together with a shell script backdoor (consumer.sh) that is able to including an SSH key to the ~/.ssh/authorized_keys file and making a rogue consumer named “video games” with an attacker-known password and together with it within the /and many others/sudoers file.
Additionally delivered in an analogous method are three extra shell scripts – tshd.sh, gsc.sh, aws.sh – that are designed to drop Tiny SHell and an improvised model of netcat known as gs-netcat, and exfiltrate credentials
The menace actors “run a command on the cmd.cat/chattr container that retrieves the payload from their very own C2 infrastructure,” Muir advised The Hacker Information, noting that is achieved by utilizing curl or wget and piping the ensuing payload immediately into the bash command shell.
“As an alternative of utilizing /tmp, [gsc.sh] additionally makes use of /dev/shm as an alternative, which acts as a short lived file retailer however reminiscence backed as an alternative,” the researchers stated. “It’s doable that that is an evasion mechanism, as it’s way more frequent for malware to make use of /tmp.”
“This additionally ends in the artifacts not touching the disk, making forensics considerably tougher. This method has been used earlier than in BPFdoor – a excessive profile Linux marketing campaign.”
The assault culminates within the deployment of one other payload that is delivered immediately as a Base64-encoded script versus being retrieved from the C2 server, which, in flip, drops the XMRig cryptocurrency miner however not earlier than eliminating competing miner processes from the contaminated machine.
The precise origins of the menace actor behind Commando Cat are presently unclear, though the shell scripts and the C2 IP handle have been noticed to overlap with these linked to cryptojacking teams like TeamTNT previously, elevating the likelihood that it could be a copycat group.
“The malware features as a credential stealer, extremely stealthy backdoor, and cryptocurrency miner multi function,” the researchers stated. “This makes it versatile and in a position to extract as a lot worth from contaminated machines as doable.”
