A recent malware campaign dubbed “Commando Cat” has set its sights on exposed Docker API endpoints, posing a significant threat to cloud environments.
This detailed analysis published by CADO delves into its inner workings, uncovering its techniques, motivations, and potential impact.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Initial Infiltration:
- The attackers exploit exposed Docker API instances, delivering malicious payloads disguised as legitimate tools.
- These payloads leverage the chroot command to escape container confines and gain access to the host system.
- The malware creates backdoors by adding SSH keys and hidden user accounts, granting attackers persistent access.
- A custom script hides processes, making detection even more challenging.
Exfiltrating Valuable Data:
- The campaign employs various scripts to steal credentials from cloud service providers, environment variables, and even Docker containers.
- This stolen data grants attackers deeper access to networks and potentially sensitive information.
- Commando Cat deploys a custom XMRig miner disguised as Docker components, siphoning off computing power for crypto mining.
- The malware even eliminates competing miners, ensuring it gets the biggest slice of the resource pie.
Securing Its Turf:
- The campaign blackholes the Docker registry to prevent other attackers from interfering, effectively isolating the infected system.
- This “scorched earth” tactic highlights the ruthlessness of this campaign.
Key Takeaways:
Commando Cat employs sophisticated evasion techniques, making it difficult to detect and remove.
Its focus on stealing credentials and cryptojacking reveals its profit-driven motives.
The campaign’s association with previously observed malware suggests the existence of copycat groups exploiting established tactics.
Users and organizations must patch vulnerabilities, secure Docker API endpoints, and implement robust endpoint detection and response (EDR) solutions.
Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.