In findings launched by Cado researchers, they found a malware marketing campaign, coined “Commando Cat,” which is concentrating on uncovered Docker API endpoints.
The cryptojacking marketing campaign has solely been lively for the reason that starting of this yr however it’s the second concentrating on Docker. The primary one used the 9hits site visitors change utility, in line with the researchers. Nevertheless, these Docker assaults aren’t essentially uncommon, particularly in cloud environments.
“This marketing campaign demonstrates the continued willpower attackers have to take advantage of the service and obtain quite a lot of aims,” the researchers mentioned. “Commando Cat is a cryptojacking marketing campaign leveraging Docker as an preliminary entry vector and (ab)utilizing the service to mount the host’s filesystem, earlier than working a sequence of interdependent payloads instantly on the host.”
It’s unclear who the risk actor behind Commando Cat is or the place they’re from, although there’s an overlap in scripts and IP addresses to different teams like Crew TNT, indicating a possible connection or a copycat.
Due to the extent of redundancy and the quantity of evasion, the marketing campaign is refined in the way it conceals itself. Appearing as a credential stealer, backdoor, and cryptocurrency miner collectively as one, it makes for a extremely stealthy and malicious risk.
