A new cryptojacking attack campaign dubbed "Commando Cat" has been observed exploiting exposed Docker remote API servers to deploy cryptocurrency miners. Attack operations leverage legitimate Docker images from the open-source Commando project. Commando is a tool designed for on-demand docker image creation, aiding SysOps and DevOps professionals to quickly create them for operations.

Commando Cat Initial Access and Attack Sequence

The Commando Cat campaign identified by researchers from Trend Micro has been active since early 2024. The attack begins with a probe to the Docker Remote API server. If the server responds positively, the attackers create a container using the "cmd.cat/chattr" image. Once a suitable target is located, the attacker deploys a docker image named cmd.cat/chattr, which appears harmless at first glance but serves as a stepping stone for the subsequent stages of the attack. The "cmd.cat/chattr" image allows the attackers to employ techniques like chroot and volume binding to escape the docker container and bind the host system's root directory to the container's own /hs directory, thereby gaining unrestricted access to the host file system. The attackers also bind the Docker socket to the container, allowing them to manipulate Docker as if they were on the host machine itself. If the "cmd.cat/chattr" image isn't found, the attackers pull it from the cmd.cat repository. Once the image is in place, they create a Docker container, executing a base64-encoded script that downloads and executes a malicious binary from their command-and-control (C&C) server. The researchers identified the downloaded binary file as ZiggyStarTux, an open-source IRC botnet based on the Kaiten malware.

Commando Cat Detection and Mitigation

While the researchers noted that the campaign's C&C server was down during analysis, they noted several technical specifics from attack operations. Researchers have advised that potential misuse of DropBear SSH on TCP port 3022, along with use of the 1219 port for its C&C server, can help detect the presence of the malware. Unauthorized IRC communications along with these specific User-Agent strings are other indicators:

• HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64)
• Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)

To prevent such attacks, organizations should adhere to Docker security best practices, including:

• Properly configuring Docker containers and APIs.
• Utilizing only official or certified Docker images.
• Running containers with non-root privileges.
• Limiting container access to trusted sources.
• Regularly performing security audits and scanning for suspicious docker containers.

Additionally the researchers have shared a more detailed list of indicators of compromise (IOCs) to help detect infections. The Commando Cat attack campaign underscores the risks associated with exposed Docker Remote API servers and the potential exploitation of open-source projects by threat actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.