Teacher
Professional
- Messages
- 2,670
- Reaction score
- 775
- Points
- 113
In their attacks, attackers pursue several goals at once...
Open Docker API endpoints are being attacked over the internet as part of a sophisticated cryptojacking campaign called "Commando Cat".
"The operation uses a secure container created using the Commando project," explained Cado Security researchers. "The attackers found a way to exit this container and run arbitrary payloads on the Docker host."
The campaign is expected to be active from the beginning of 2024. This is the second such campaign identified in the last couple of months. In mid-January, experts discovered another cluster of attacks on vulnerable Docker hosts for deploying the XMRig cryptominer and 9Hits Viewer software.
As part of this operation, Docker is used as the initial access vector for delivering a set of interdependent malicious programs from the attackers ' server. This server is responsible for maintaining a permanent presence in the system, installing backdoors, exfiltrating the credentials of cloud service providers, and directly launching the cryptominer.
The obtained access to vulnerable Docker instances is then used to deploy a harmless container using the open command tool and execute a malicious command that allows you to" break out " of the container using chroot.
A series of checks are also performed for active services named "sys-kernel-debugger", "gsc", "c3pool_miner", and "dockercache" on the compromised system. The next stage begins only if this verification is successful, and includes obtaining additional malware from the attackers command server.
Among the received programs is a backdoor script "user.sh", capable of adding SSH keys and creating fake users with passwords known to attackers and superuser rights. Scripts are also delivered "tshd.sh", "gsc.sh" and "aws.sh" to install backdoors and exfiltrate credentials.
The attack ends with the deployment of another payload in the form of a Base64-encoded script that installs the XMRig cryptocurrency miner, after removing competing miners from the infected machine.
The exact origin of the threat is still unknown, although intersections with scripts and IP addresses of the team server of the TeamTNT cryptojacker groups have been detected. Perhaps we are talking about a copycat group.
According to the researchers, "this malware functions as a credential hijacker, a stealthy backdoor, and a cryptominer all at the same time." This makes it a universal tool for maximizing the resources of infected machines.
Open Docker API endpoints are being attacked over the internet as part of a sophisticated cryptojacking campaign called "Commando Cat".
"The operation uses a secure container created using the Commando project," explained Cado Security researchers. "The attackers found a way to exit this container and run arbitrary payloads on the Docker host."
The campaign is expected to be active from the beginning of 2024. This is the second such campaign identified in the last couple of months. In mid-January, experts discovered another cluster of attacks on vulnerable Docker hosts for deploying the XMRig cryptominer and 9Hits Viewer software.
As part of this operation, Docker is used as the initial access vector for delivering a set of interdependent malicious programs from the attackers ' server. This server is responsible for maintaining a permanent presence in the system, installing backdoors, exfiltrating the credentials of cloud service providers, and directly launching the cryptominer.
The obtained access to vulnerable Docker instances is then used to deploy a harmless container using the open command tool and execute a malicious command that allows you to" break out " of the container using chroot.
A series of checks are also performed for active services named "sys-kernel-debugger", "gsc", "c3pool_miner", and "dockercache" on the compromised system. The next stage begins only if this verification is successful, and includes obtaining additional malware from the attackers command server.
Among the received programs is a backdoor script "user.sh", capable of adding SSH keys and creating fake users with passwords known to attackers and superuser rights. Scripts are also delivered "tshd.sh", "gsc.sh" and "aws.sh" to install backdoors and exfiltrate credentials.
The attack ends with the deployment of another payload in the form of a Base64-encoded script that installs the XMRig cryptocurrency miner, after removing competing miners from the infected machine.
The exact origin of the threat is still unknown, although intersections with scripts and IP addresses of the team server of the TeamTNT cryptojacker groups have been detected. Perhaps we are talking about a copycat group.
According to the researchers, "this malware functions as a credential hijacker, a stealthy backdoor, and a cryptominer all at the same time." This makes it a universal tool for maximizing the resources of infected machines.
