Cybersecurity researchers from Cado Safety not too long ago found a complicated new cryptojacking marketing campaign that targets uncovered Docker API endpoints over the web
The marketing campaign, known as “Commando Cat”, has been energetic since early 2024, the researchers added, saying that this was the second such marketing campaign to be found in simply two months.
In response to the report, the attackers would ship an interdependent payload from their very own server, leveraging Docker as an preliminary entry vector. The primary container, constructed utilizing the Commando open-source software, is seemingly benign, however permits the attackers to flee the container and run a number of payloads on the Docker host itself.
The payloads delivered rely on the short-term objectives of the marketing campaign, and embrace establishing persistence, backdooring the host, exfiltrating cloud service supplier credentials, and launching cryptocurrency miners, the researchers defined. The cryptocurrency miner being deployed as a part of this marketing campaign is the notorious XMRig, a massively in style cryptojacker that mines Monero (XMR), a privacy-oriented forex that’s nearly unattainable to hint.
Commando cat makes use of a unique folder to briefly retailer stolen recordsdata, Cado Safety’s researchers added, suggesting this was executed as an evasion mechanism. Certainly, this makes forensic evaluation tougher, they mentioned.
At press time, the researchers don’t know who the risk actors behind Commando Cat are, however say they observed overlaps in shell scripts and C2 IP addresses with one other cryptojacking group known as TeamTNT. Nonetheless, Cado doesn’t consider TeamTNT to be behind this explicit marketing campaign, and moderately leans in the direction of a copycat group.
To defend in opposition to such assaults, customers are suggested to replace their Docker cases and implement vital safety measures, the researchers concluded.
Earlier this month, the identical cybersecurity crew found the same marketing campaign, focusing on weak Docker hosts to deploy each XMRig and the 9Hits Viewer software program. 9hits is an online visitors trade platform, the place customers can drive visitors amongst themselves. When a consumer installs 9hits, their system visits different members’ web sites through a headless Chrome occasion. In trade, the consumer receives credit which they will then spend to drive visitors to their very own websites. By putting in 9hits on compromised Docker cases, the attackers generate further credit which they will then trade for extra visitors for themselves.
By way of The Hacker News