Commando Cat's Evasive Maneuvers

In a recent investigation, Cado Security unveiled a complex cryptojacking campaign named 'Commando Cat,' exploiting Docker environments to gain initial access. This campaign focuses on the expanding threat inflicted on cloud environments, particularly Docker services, to conduct their malicious activities. 'Commando Cat' is distinguished by its multi-stage attack chain, starting with exploiting exposed Docker API endpoints to execute a series of payloads directly on the host. These payloads are designed for various malicious activities including establishing persistence, enabling backdoor access, exfiltrating cloud service provider credentials, and deploying cryptocurrency mining software. The attack leverages sophisticated evasion techniques, notably a process hiding mechanism, demonstrating the attackers' sophistication and intent to remain undetected while exploiting the compromised systems.

The attack begins with the attacker pulling a Docker image, cmd[.]cat/chattr, perceived as benign to avoid suspicion. This image is part of the Commando Project, which generates Docker images filled with necessary commands for the attacker's use. Following this, the attacker executes a custom command to escape the container and access the host's operating system, where it conducts checks for specific services to ensure the environment is suitable for their payloads. The scripts involved in this attack, including tshd.sh, gsc.sh, and aws.sh, serve various purposes from deploying additional backdoors such as TinyShell and gs-netcat, to grabbing sensitive cloud service credentials. These scripts highlight the campaign's complexity and the attacker's meticulous approach to compromising the environment and preparing it for the final payload, the XMRig cryptocurrency miner.

Detection engineers should note the nuanced techniques used in this campaign, particularly the initial access tactic via a misconfigured API, the abuse of the Docker service to escape containers, and the deployment of scripts for credential theft and backdoor access. The use of scripts like user.sh to manipulate system files and SSH configurations for backdoor access, and tshd.sh for deploying TinyShell, provides insight into the attacker's operational tactics. Furthermore, the aws.sh script's role in credential theft underscores the importance of monitoring environment variables and file systems for unexpected changes. The innovative use of a Docker Registry blackhole by the attacker, as described, to block other attackers and maintain control over the compromised system is a novel technique that detection engineers should be aware of.

Cado Security's 'Commando Cat' reports follow on the heels of their report of a threat actor utilizing the 9hits web traffic solution to commandeer Docker environments for cryptojacking. These campaigns exemplify the growing need to secure cloud environments with detection mechanisms focused on analyzing adversary behaviors.