A sophisticated cryptojacking campaign known as Commando Cat is targeting exposed Docker API endpoints over the internet. Security researchers from Cado report that the campaign deploys a benign container using the Commando project and escapes the container to run multiple payloads on the Docker host. Believed to be active since the beginning of 2024, the campaign exploits Docker as an initial access vector, deploying payloads that include a shell script backdoor, cryptocurrency miners, and other malicious commands. Commando Cat demonstrates versatility by functioning as a credential stealer, stealthy backdoor, and cryptocurrency miner.
The Commando Cat cryptojacking campaign utilizes Docker API endpoints as an initial access point for deploying a collection of interdependent payloads. These payloads are delivered from an actor-controlled server, responsible for actions like registering persistence, backdooring the host, exfiltrating cloud service provider credentials, and launching cryptocurrency miners. Docker is exploited to deliver a harmless container using the Commando open-source tool, enabling the escape of malicious commands. The campaign checks for the presence of specific services on compromised systems and proceeds with further stages, showcasing a multi-step, sophisticated approach.
The foothold gained by breaching vulnerable Docker instances is leveraged by Commando Cat to deploy payloads and execute malicious commands. The threat actors run a command on a container, retrieving the payload from their command-and-control infrastructure. Commando Cat employs evasion mechanisms such as using /dev/shm for temporary file storage instead of /tmp, making forensics more challenging. The cryptojacking campaign is versatile, serving as a credential stealer, stealthy backdoor, and cryptocurrency miner, highlighting the attackers’ ability to extract maximum value from compromised machines.
Commando Cat’s attack concludes with the deployment of another payload delivered as a Base64-encoded script, dropping the XMRig cryptocurrency miner while eliminating competing miners on the infected machine. While the exact origins of the threat actor remain unclear, similarities with cryptojacking groups like TeamTNT suggest a potential copycat group. The campaign’s multifaceted nature makes it a potent threat, posing challenges for detection and mitigation across infected systems.
