In the ever-evolving landscape of cybersecurity threats, a new and sophisticated cryptojacking campaign, dubbed "Commando Cat," has emerged, targeting exposed Docker API endpoints over the internet. Cado security researchers Nate Bill and Matt Muir shed light on this alarming development in their latest report, revealing the intricacies of an attack that exploits Docker as an initial access vector.
The Commando Cat Campaign Unveiled
According to the researchers, Commando Cat deploys a seemingly harmless container using the Commando open-source tool. This container, generated by the Commando project, becomes the staging ground for the attacker to execute multiple payloads on the Docker host. Active since the beginning of 2024, this campaign marks the second such occurrence within a short span.
Exploiting Docker Vulnerabilities
The attackers gain a foothold by breaching susceptible Docker instances, leveraging them to deploy a benign container. This container, however, serves as a conduit for launching malicious commands that enable the attacker to escape the container's confines using the chroot command. Notably, the campaign checks for the presence of specific services before advancing to the next stage.
Multi-Stage Payload Delivery
Once the foothold is established, Commando Cat proceeds to drop a variety of interdependent payloads from an actor-controlled server. These payloads include a shell script backdoor (user.sh), which adds an SSH key and creates a rogue user named "games." Additionally, three more shell scripts (tshd.sh, gsc.sh, aws.sh) are delivered to drop Tiny SHell and a customized version of netcat, facilitating the exfiltration of credentials.
Evasion Tactics and Stealth Techniques
The researchers highlight the attackers' use of non-traditional paths for payload retrieval, such as /dev/shm instead of /tmp, possibly as an evasion mechanism. This unconventional approach, reminiscent of the BPFdoor campaign, minimizes artifacts touching the disk, making forensics more challenging.
The Culmination: A Versatile Threat
Commando Cat's attack culminates with the deployment of another payload, delivered as a Base64-encoded script, dropping the XMRig cryptocurrency miner. Intriguingly, this final payload eliminates competing miner processes on the infected machine, showcasing the campaign's adaptability and efficiency.
Unmasking the Culprit
The exact origins of the threat actor responsible for Commando Cat remain elusive. While the shell scripts and C2 IP address bear similarities to cryptojacking groups like TeamTNT, the researchers stop short of definitively attributing the campaign to a specific entity. Nevertheless, the multifaceted nature of the malware, functioning as a credential stealer, stealthy backdoor, and cryptocurrency miner, underscores its versatility and potential for extracting maximum value from compromised systems.
Conclusion: A Unified Threat
In conclusion, the Commando Cat cryptojacking campaign poses a significant threat to organizations with exposed Docker API endpoints. The multi-stage payload delivery, evasion tactics, and adaptability make it a formidable adversary. As the cybersecurity landscape continues to evolve, vigilance and proactive measures are crucial to thwart such sophisticated attacks.
0 Comments