βCommando Catβ Cryptojacking Campaign Exploits Remote Docker API Servers
7 June 2024 at 18:46
Commando Cat Initial Access and Attack Sequence
The Commando Cat campaign identified by researchers from Trend Micro has been active since early 2024. The attack begins with a probe to the Docker Remote API server. If the server responds positively, the attackers create a container using the "cmd.cat/chattr" image. Once a suitable target is located, the attacker deploys a docker image named cmd.cat/chattr, which appears harmless at first glance but serves as a stepping stone for the subsequent stages of the attack. The "cmd.cat/chattr" image allows the attackers to employ techniques like chroot and volume binding to escape the docker container and bind the host system's root directory to the container's own/hs
directory, thereby gaining unrestricted access to the host file system.
The attackers also bind the Docker socket to the container, allowing them to manipulate Docker as if they were on the host machine itself. If the "cmd.cat/chattr" image isn't found, the attackers pull it from the cmd.cat repository.
Once the image is in place, they create a Docker container, executing a base64-encoded script that downloads and executes a malicious binary from their command-and-control (C&C) server. The researchers identified the downloaded binary file as ZiggyStarTux, an open-source IRC botnet based on the Kaiten malware.
Commando Cat Detection and Mitigation
While the researchers noted that the campaign's C&C server was down during analysis, they noted several technical specifics from attack operations. Researchers have advised that potential misuse of DropBear SSH on TCP port 3022, along with use of the 1219 port for its C&C server, can help detect the presence of the malware. Unauthorized IRC communications along with these specific User-Agent strings are other indicators:- HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64)
- Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
- Properly configuring Docker containers and APIs.
- Utilizing only official or certified Docker images.
- Running containers with non-root privileges.
- Limiting container access to trusted sources.
- Regularly performing security audits and scanning for suspicious docker containers.