Commando Cat cryptojacking attacks target misconfigured Docker instances

07 June 2024Press releaseCryptojacking/Security Vulnerability

The threat actor known as Command Cat has been linked to an ongoing cryptojacking attack campaign that exploits poorly secured Docker instances to employ cryptocurrency miners for financial gain.

“The attackers used the Docker image container cmd.cat/chattr, which retrieves the payload from their own command-and-control (C&C) infrastructure,” said Trend Micro researchers Sunil Bharti and Shubham Singh in an analysis Thursday.

Commando Cat, which takes its name from its use of the open source Commando project to generate a benign container, was first documented by Cado Security earlier this year.

The attacks are characterized by targeting misconfigured Docker remote API servers to deploy a Docker image named cmd.cat/chattr. This is then used as the basis for instantiating a container. Using the chroot command, the attackers break out of its boundaries and gain access to the host operating system.

The final step is to retrieve the malicious miner binary from a C&C server (“leetdbs.anondns(.)net/z”) using a curl or wget command via a shell script. The binary is believed to be ZiggyStarTux, an open-source IRC bot based on the Kaiten (also known as Tsunami) malware.

“The significance of this attack campaign lies in the use of Docker images to deploy cryptojacking scripts on compromised systems,” the researchers said. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”

The disclosure comes after Akamai announced that years-old vulnerabilities in ThinkPHP applications (e.g. CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese-speaking threat actor to deploy a web shell called Dama as part of a campaign running since October 17, 2023.

“The exploit attempts to retrieve additional obfuscated code from another compromised ThinkPHP server to gain initial access,” said Akamai researchers Ron Mankivsky and Maxim Zavodchik. “After successfully exploiting the system, the attackers install a Chinese-language web shell called Dama to gain permanent access to the server.”

The web shell is equipped with several advanced features for collecting system data, uploading files, scanning network ports, elevating privileges, and navigating the file system. The latter allows threat actors to perform operations such as editing, deleting, and changing timestamps of files for obfuscation purposes.

“The recent attacks, which originated from a Chinese-speaking attacker, underscore the ongoing trend of attackers using a full-fledged web shell designed for advanced victim control,” the researchers noted. “Interestingly, not all of the attacked customers used ThinkPHP, suggesting that the attackers are indiscriminately targeting a wide range of systems.”