Cybersecurity experts say there’s a campaign called “Commando Cat.” It has exploited exposed Docker remote API servers. This has resulted in the deployment of cryptocurrency miners.
Cybercriminals activated the campaign early this year and it remains active. It utilizes the Commando project to start its attacks. The project is open to the public.
The attackers leverage the cmd.cat/chattr Docker image container. They use it to fetch payloads from their command-and-control (C&C) infrastructure. This poses a significant threat to Docker environments.
A Trend Micro report noted that the attack begins with the deployment of a Docker image. This cmd.cat/chattr image looks benign. The attackers create a Docker container based on it once they deploy the image. They then use chroot to escape the container and get access to the host operating system. The cyber attackers then use tools like curl and wget to download the malicious binary onto the host.
The cybersecurity attack starts with a ping to the Docker Remote API server. The attackers instantiate a container using the cmd.cat/chattr image. This happens after confirming the positive status of the server.
The campaign uses chroot and volume binding to escape the container. This gives the attackers unrestricted access to the host file system. Binding the Docker socket also gives the container direct access to the host’s Docker daemon.
A “No such image” response can happen. Attackers will then pull the chattr Docker image from the cmd.cat repository. They create a Docker container if the image is in place. The attackers then execute a base64-encoded string that translates to a shell script.
The script downloads and executes the malicious binary if the file is absent. The file server ZiggyStarTux is a common target. It’s an open-source IRC bot based on the Kaiten malware.
