In findings launched by Cado researchers, they found a malware marketing campaign, coined “Commando Cat,” which is concentrating on uncovered Docker API endpoints.
The cryptojacking marketing campaign has solely been lively for the reason that starting of this 12 months however it’s the second concentrating on Docker. The primary one used the 9hits site visitors alternate software, in accordance with the researchers. Nonetheless, these Docker assaults aren’t essentially uncommon, particularly in cloud environments.
“This marketing campaign demonstrates the continued dedication attackers have to use the service and obtain quite a lot of aims,” the researchers mentioned. “Commando Cat is a cryptojacking marketing campaign leveraging Docker as an preliminary entry vector and (ab)utilizing the service to mount the host’s filesystem, earlier than working a collection of interdependent payloads instantly on the host.”
It’s unclear who the risk actor behind Commando Cat is or the place they’re from, although there may be an overlap in scripts and IP addresses to different teams like Workforce TNT, indicating a possible connection or a copycat.
Due to the extent of redundancy and the quantity of evasion, the marketing campaign is refined in the way it conceals itself. Performing as a credential stealer, backdoor, and cryptocurrency miner collectively as one, it makes for a extremely stealthy and malicious risk.
