Commando Cat Continues to Exploit Exposed Docker APIs in Ongoing Cryptojacking Efforts

Cryptojacking campaigns with attackers leveraging Docker images from the open-source Commando project hosted on GitHub have been analyzed by researchers from Trend Micro. This malware campaign, tracked as "Commando Cat," was initially reported by Cado Security, with subsequent activities using similar tactics as the initial report. Attackers target exposed Docker APIs to deploy their Docker image. These containers, sourced from the Commando project's cmd[.]cat/chattr image, serve as a Trojan horse for deploying cryptocurrency miners on compromised systems.

Examining the attack chain observed by Trend Micro, the attack begins with unauthorized access to exposed Docker remote API servers. The attackers deploy the cmd[.]cat/chattr Docker image, which initially appears innocuous. Post-deployment, they execute a series of commands to break out of the container environment using chroot, thus gaining unrestricted access to the host system. This is achieved by manipulating volume bindings, specifically binding the host’s root directory to a directory within the container, thereby sidestepping traditional container isolation mechanisms. Subsequent steps involve running a base64-encoded string, decoded as a shell script, to facilitate the download of a cryptojacking payload using curl or wget, followed by altering the file’s permissions with chmod to prepare it for execution.

Once the initial foothold is secured, the attackers proceed to execute the payload within the host environment. Network artifacts of this campaign include unusual User-Agent strings and the deployment of DropBear SSH on TCP port 3022. Trend Micro's analysis into the tactics, techniques, and procedures of the Commando Cat operators reinforces the Cado Security report of this malicious cyber threat. The campaign exemplifies the need for stringent security controls around Docker installations, particularly concerning the exposure of remote API servers. To mitigate such threats, Trend Micro emphasizes the importance of adhering to container security best practices, such as configuring containers securely, employing only trusted Docker images, and conducting regular security audits to detect anomalies in container deployments.