A recent cryptojacking attack campaign named “Commando Cat” has been discovered exploiting vulnerable Docker remote API servers to deploy cryptocurrency miners. This attack utilizes legitimate Docker images from the open-source Commando project, causing concern among cybersecurity experts.
The Commando project is a helpful tool for creating docker images on-demand, which is commonly used by SysOps and DevOps professionals for operational purposes. However, threat actors have now exploited this tool for malicious purposes, targeting exposed Docker servers to carry out their nefarious activities.
The Commando Cat campaign, first identified by researchers from Trend Micro in early 2024, follows a specific attack sequence to infiltrate Docker servers. The attackers initiate the attack by probing the Docker Remote API server and, upon receiving a positive response, proceed to create a container using the “cmd.cat/chattr” image. This seemingly harmless image serves as a launching pad for the subsequent stages of the attack.
By leveraging techniques like chroot and volume binding, the attackers escape the docker container and gain unrestricted access to the host file system. They also bind the Docker socket to the container, enabling them to manipulate Docker as if they were on the host machine itself. In cases where the “cmd.cat/chattr” image is not present, the attackers retrieve it from the cmd.cat repository.
Once the image is deployed, the attackers execute a base64-encoded script within a Docker container, downloading and running a malicious binary from their command-and-control (C&C) server. The researchers identified the downloaded binary file as ZiggyStarTux, an open-source IRC botnet based on the Kaiten malware.
To detect and mitigate Commando Cat attacks, researchers recommend monitoring for unauthorized IRC communications and specific User-Agent strings associated with the malware. Additionally, organizations should follow Docker security best practices, such as configuring containers and APIs properly, using only official or certified Docker images, running containers with non-root privileges, limiting container access to trusted sources, and conducting regular security audits and scans for suspicious docker containers.
To assist in identifying infections, researchers have also shared a detailed list of indicators of compromise (IOCs) related to the Commando Cat campaign. This incident highlights the risks associated with exposed Docker Remote API servers and underscores the importance of securing open-source projects to prevent exploitation by threat actors.
In conclusion, the Commando Cat attack serves as a stark reminder of the evolving cybersecurity landscape and the need for proactive measures to safeguard digital assets and infrastructure. Organizations must remain vigilant and implement robust security protocols to protect against emerging threats in the ever-changing threat landscape.