February 1, 2024 at 05:30PM
Cado researchers discovered “Commando Cat,” a malware campaign targeting exposed Docker API endpoints. This cryptojacking campaign, the second to target Docker, uses the service to mount the host’s filesystem and run various payloads. There are indications of an overlap with other threat groups, suggesting a potential connection. The campaign is highly sophisticated, acting as a credential stealer, backdoor, and cryptocurrency miner.
From the meeting notes, the key takeaways are:
1. Cado researchers discovered a malware campaign called “Commando Cat” targeting exposed Docker API endpoints.
2. This cryptojacking campaign, active since the beginning of the year, is the second targeting Docker. The first one used the 9hits traffic exchange application.
3. Docker attacks are not rare in cloud environments, and this campaign demonstrates the determination attackers have to exploit the service for various objectives.
4. The “Commando Cat” campaign leverages Docker as an initial access vector and uses the service to mount the host’s filesystem before running a series of interdependent payloads directly on the host.
5. The threat actor behind “Commando Cat” is currently unclear, but there is a potential connection to other groups like Team TNT based on an overlap in scripts and IP addresses.
6. The campaign is sophisticated in concealing itself, acting as a credential stealer, backdoor, and cryptocurrency miner simultaneously, making it a highly stealthy and malicious threat.