Uncovered Docker API endpoints over the web are below assault from a complicated cryptojacking marketing campaign referred to as Commando Cat.
“The marketing campaign deploys a benign container generated utilizing the Commando venture,” Cado safety researchers Nate Invoice and Matt Muir stated in a brand new report revealed as we speak. “The attacker escapes this container and runs a number of payloads on the Docker host.”
The marketing campaign is believed to have been lively because the begin of 2024, making it the second such marketing campaign to be found in as many months. In mid-January, the cloud safety agency additionally make clear one other exercise cluster that targets susceptible Docker hosts to deploy XMRig cryptocurrency miner in addition to the 9Hits Viewer software program.
Commando Cat employs Docker as an preliminary entry vector to ship a set of interdependent payloads from an actor-controlled server that’s answerable for registering persistence, backdooring the host, exfiltrating cloud service supplier (CSP) credentials, and launching the miner.
The foothold obtained by breaching prone Docker cases is subsequently abused to deploy a innocent container utilizing the Commando open-source device and execute a malicious command that permits it to flee the confines of the container by way of the chroot command.
It additionally runs a sequence of checks to find out if companies named “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” are lively on the compromised system, and proceeds to the following stage provided that this step passes.
“The aim of the verify for sys-kernel-debugger is unclear – this service is just not used anyplace within the malware, neither is it a part of Linux,” the researchers stated. “It’s attainable that the service is a part of one other marketing campaign that the attacker doesn’t need to compete with.”
The succeeding part entails dropping extra payloads from the command-and-control (C2) server, together with a shell script backdoor (consumer.sh) that is able to including an SSH key to the ~/.ssh/authorized_keys file and making a rogue consumer named “video games” with an attacker-known password and together with it within the /and so on/sudoers file.
Additionally delivered in an analogous method are three extra shell scripts – tshd.sh, gsc.sh, aws.sh – that are designed to drop Tiny SHell, an improvised model of netcat referred to as gs-netcat, and exfiltrate credentials and setting variables, respectively.
“As a substitute of utilizing /tmp, [gsc.sh] additionally makes use of /dev/shm as a substitute, which acts as a brief file retailer however reminiscence backed as a substitute,” the researchers stated. “It’s attainable that that is an evasion mechanism, as it’s rather more widespread for malware to make use of /tmp.”
“This additionally ends in the artifacts not touching the disk, making forensics considerably more durable. This method has been used earlier than in BPFdoor – a excessive profile Linux marketing campaign.”
The assault culminates within the deployment of one other payload that is delivered instantly as a Base64-encoded script versus being retrieved from the C2 server, which, in flip, drops the XMRig cryptocurrency miner however not earlier than eliminating competing miner processes from the contaminated machine.
The precise origins of the risk actor behind Commando Cat are at the moment unclear, though the shell scripts and the C2 IP deal with have been noticed to overlap with these linked to cryptojacking teams like TeamTNT prior to now, elevating the likelihood that it could be a copycat group.
“The malware capabilities as a credential stealer, extremely stealthy backdoor, and cryptocurrency miner multi function,” the researchers stated. “This makes it versatile and in a position to extract as a lot worth from contaminated machines as attainable.”