Exposed Docker APIs Under Attack in ‘Commando Cat’ Cryptojacking Campaign

Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat.

“The campaign deploys a benign container generated using the Commando project,” Cado security researchers Nate Bill and Matt Muir said in a new report published today. “The attacker escapes this container and runs multiple payloads on the Docker host.”

The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on another activity cluster that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software.

Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider (CSP) credentials, and launching the miner.

The foothold obtained by breaching susceptible Docker instances is subsequently abused to deploy a harmless container using the Commando open-source tool and execute a malicious command that allows it to escape the confines of the container via the chroot command.

It also runs a series of checks to determine if services named “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” are active on the compromised system, and proceeds to the next stage only if this step passes.

“The purpose of the check for sys-kernel-debugger is unclear – this service is not used anywhere in the malware, nor is it part of Linux,” the researchers said. “It is possible that the service is part of another campaign that the attacker does not want to compete with.”

The succeeding phase entails dropping additional payloads from the command-and-control (C2) server, including a shell script backdoor (user.sh) that’s capable of adding an SSH key to the ~/.ssh/authorized_keys file and creating a rogue user named “games” with an attacker-known password and including it in the /etc/sudoers file.

Also delivered in a similar manner are three more shell scripts – tshd.sh, gsc.sh, aws.sh – which are designed to drop Tiny SHell and an improvised version of netcat called gs-netcat, and exfiltrate credentials

The threat actors “run a command on the cmd.cat/chattr container that retrieves the payload from their own C2 infrastructure,” Muir told The Hacker News, noting this is achieved by using curl or wget and piping the resulting payload directly into the bash command shell.

“Instead of using /tmp, [gsc.sh] also uses /dev/shm instead, which acts as a temporary file store but memory backed instead,” the researchers said. “It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp.”

“This also results in the artifacts not touching the disk, making forensics somewhat harder. This technique has been used before in BPFdoor – a high profile Linux campaign.”

The attack culminates in the deployment of another payload that’s delivered directly as a Base64-encoded script as opposed to being retrieved from the C2 server, which, in turn, drops the XMRig cryptocurrency miner but not before eliminating competing miner processes from the infected machine.

The exact origins of the threat actor behind Commando Cat are currently unclear, although the shell scripts and the C2 IP address have been observed to overlap with those linked to cryptojacking groups like TeamTNT in the past, raising the possibility that it may be a copycat group.

“The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one,” the researchers said. “This makes it versatile and able to extract as much value from infected machines as possible.”