Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances

The threat actor known as Commando Cat has been linked to an ongoing cryptojacking attack campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners for financial gain.

“The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure,” Trend Micro researchers Sunil Bharti and Shubham Singh said in a Thursday analysis.

Commando Cat, so named for its use of the open-source Commando project to generate a benign container, was first documented earlier this year by Cado Security.

The attacks are characterized by the targeting of misconfigured Docker remote API servers to deploy a Docker image named cmd.cat/chattr, which is then used as a basis to instantiate a container and break out of its confines using the chroot command, and gain access to the host operating system.

The final step entails retrieving the malicious miner binary using a curl or wget command from a C&C server (“leetdbs.anondns[.]net/z”) by means of a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot based on the Kaiten (aka Tsunami) malware.

“The significance of this attack campaign lies in its use of Docker images to deploy cryptojacking scripts on compromised systems,” the researchers said. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”

The disclosure comes as Akamai revealed that years-old security flaws in ThinkPHP applications (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese-speaking threat actor to deliver a web shell dubbed Dama as part of a campaign that has been underway since October 17, 2023.

“The exploit attempts to retrieve additional obfuscated code from another compromised ThinkPHP server to gain initial foothold,” Akamai researchers Ron Mankivsky and Maxim Zavodchik said. “After successfully exploiting the system, the attackers will install a Chinese language web shell named Dama to maintain persistent access to the server.”

The web shell is equipped with several advanced capabilities to gather system data, upload files, scan network ports, escalate privileges, and navigate the file system, the latter of which enables threat actors to perform operations like file editing, deletion, and timestamp modification for obfuscation purposes.

“The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully fledged web shell, designed for advanced victim control,” the researchers noted. “Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.