Commando Cat, a clever cryptojacking effort, attacks exposed Docker API endpoints online.

“The campaign deploys a benign container generated using the Commando project,” Cado researchers Nate Bill and Matt Muir wrote today. “The attacker escapes this container and runs multiple payloads on the Docker host.”

The campaign is the second found in as many months and is expected to have started in 2024. Cloud security firm revealed another activity cluster targeting unprotected Docker servers to run XMRig cryptocurrency miner and 9Hits Viewer in mid-January.

Commando Cat uses Docker as an initial access vector to distribute interdependent payloads from an actor-controlled server that registers persistence, backdoors the host, steals CSP credentials, and launches the miner.

After penetrating vulnerable Docker instances, the Commando open-source tool is used to launch an innocuous container and run a malicious command that allows it to leave the container using the chroot command.

It also checks for “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” services on the compromised system and moves on if they are.

“The purpose of the check for sys-kernel-debugger is unclear – this service is not used anywhere in the malware, nor is it part of Linux,” they stated. “It is possible that the service is part of another campaign that the attacker does not want to compete with.”

In the next phase, the C2 server drops additional payloads, including a shell script backdoor (user.sh) that adds an SSH key to the ~/.ssh/authorized_keys file and creates a rogue user “games” with an attacker-known password in /etc/sudoers.

Three more shell scripts—tshd.sh, gsc.sh, aws.sh—drop Tiny SHell and gs-netcat and exfiltrate credentials.

The threat actors “run a command on the cmd.cat/chattr container that retrieves the payload from their own C2 infrastructure,” Muir told The Hacker News, utilizing curl or wget and piping the payload into bash.

“Instead of using /tmp, [gsc.sh] also uses /dev/shm instead, which acts as a temporary file store but memory backed instead,” the team noted. “It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp.”

This prevents artifacts from hitting the disk, making forensics tougher. This method was employed in the high-profile Linux campaign BPFdoor.”

Another payload is given directly as a Base64-encoded script instead of from the C2 server, which drops the XMRig bitcoin miner but first eliminates competing miner processes from the victim machine.

The threat actor behind Commando Cat is unknown, although the shell scripts and C2 IP address have been linked to cryptojacking groups like TeamTNT, suggesting a copycat group.

“The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one,” they claimed. “This makes it versatile and able to extract as much value from infected machines as possible.”