Skip to content

Commando Cat campaign exploits Docker remote API for cryptojacking

  • by
  • 3 min read

Photo: Jin Odin / Shutterstock.com

A sophisticated campaign, Commando Cat, targets vulnerable Docker remote API servers to deploy cryptocurrency miners. This campaign has been active since the beginning of 2024 and utilises publicly available tools and images, illustrating the evolving threat landscape within containerised environments.

The Commando Cat campaign’s initial phase begins with deploying a seemingly benign Docker image named cmd.cat/chattr. This image is derived from the Commando project, an open-source GitHub initiative designed to generate Docker images on demand for developers. By deploying this innocuous container, attackers bypass initial security checks.

Specifically, the actors use the Binds parameter to mount the host’s root directory (/:) into the container’s /hs, granting them unrestricted access to the host file system. Additionally, by binding the Docker socket (/var/run/docker.sock:/var/run/docker.sock), the attackers gain direct access to the Docker daemon, allowing them to control Docker as if they were operating directly on the host machine.

Once the container has been placed, threat actors employ the chroot command to break out of the container environment and gain access to the host operating system. Tools like curl and get are then used to download a malicious binary onto the host.

The attack chain explained. | Source: Trend Micro

If the necessary Docker image is not already on the host, the attacker pulls it from the cmd.cat repository. With the image in place, the attacker creates a Docker container and executes a base64-encoded payload. This payload decodes to a shell script that downloads and executes a malicious binary, potentially the ZiggyStarTux IRC bot based on the Kaiten malware, packed using the UPX packer.

Researchers have noted that although the command-and-control (C&C) server associated with this campaign was found to be down during analysis, the malware’s binary contains specific User-Agent strings that can help identify its presence on networks. The malware also attempts to connect to a C&C server at IP address 45.9.148.193 on port 1219.

Cybersecurity experts have urged users to use trusted images, avoid root privileges, restrict access to trusted sources, conduct regular security audits, and follow Docker’s best practices to protect themselves from this attack.

“The Commando Cat attack campaign highlights the threat posed by the abuse of exposed Docker remote API servers. By exploiting Docker configurations and leveraging open-source tools like cmd.cat, attackers can gain initial access and deploy malicious binaries, while evading conventional security measures,” concluded researchers from Trend Micro.

In the News: Three UK nationals charged in Evolved Apes NFT scam

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>